Download pdf - Junos OS11.4ReleaseNotes - Juniper Networks•SupportforFrameRelayDEbitrewritingonEnhancedIQPICs(M7i,M10i,M40e, •

Junos®OS 11.4 Release Notes

Release 11.4R18 December 2011Revision 5

These release notes accompany Release 11.4R1 of the Junos OS. They describe device

documentation and known problems with the software. Junos OS runs on all Juniper

Networks M Series, MX Series, and T Series routing platforms, SRX Series Services

Gateways, J Series Services Routers, and the EX Series Ethernet Switches.

For the latest, most complete information about outstanding and resolved issues with

the JunosOSsoftware, see the JuniperNetworksonlinesoftwaredefect searchapplication

at http://www.juniper.net/prsearch.

You can also find these release notes on the Juniper Networks Junos OS Documentation

Web page, which is located at https://www.juniper.net/techpubs/software/junos/.

Contents Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

New Features in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . . . . 7

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Limitations in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . . . . . 11

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1Copyright © 2011, Juniper Networks, Inc.

http://www.juniper.net/prsearch

https://www.juniper.net/techpubs/software/junos/

Outstanding Issues in Junos OS Release 11.4 for EX Series Switches . . . . . . . 15

Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Software Upgrade and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Resolved Issues in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . 19

Issues Resolved in Release 11.4R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Changes to and Errata in Documentation for Junos OS Release 11.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Changes to the Junos OS for EX Series Switches Documentation . . . . . 29

Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forEXSeries

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 29

Upgrading from Junos OS Release 10.4R3 or Later . . . . . . . . . . . . . . . . . 30

Upgrading from Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . . . . . 31

Downgrading to Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . . . . 45

Downgrading to an Earlier Junos OS Release . . . . . . . . . . . . . . . . . . . . . . 46

Upgrading EX Series Switches Using NSSU . . . . . . . . . . . . . . . . . . . . . . . 46

Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D

Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . 49

New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,

MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 125

Copyright © 2011, Juniper Networks, Inc.2

Junos OS 11.4 Release Notes

Junos OS Release Notes for Branch SRX Series Services Gateways and J Series

Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

New Features in Junos OS Release 11.4 for Branch SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 127

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Hardware Features—SRX210 Services Gateways . . . . . . . . . . . . . . . . . . 136

Changes in Default Behavior andSyntax in JunosOSRelease 11.4 for Branch

SRX Series Services Gateways and J Series Services Routers . . . . . . . . 137

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 138

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Virtual Private Networks (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services


AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

AX411 Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 141

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks

Security Devices that Support Group VPN . . . . . . . . . . . . . . . . . . . . 143

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . . 147


IPv6 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . 153

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154


UnsupportedCLI for BranchSRXSeriesServicesGateways and JSeries

Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156


Aggregated Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

ATM Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

GRE Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

IP Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

LSQ Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

PT Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

T1 Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

VLAN Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Outstanding Issues in JunosOSRelease 11.4 for Branch SRXSeries Services


Aplication Layer Gateway(ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162



J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166


UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services


Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169




J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Errata and Changes in Documentation for Junos OS Release 11.4 for Branch


Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 172

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 174



Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch


Upgrade and Downgrade Scripts for Address Book Configuration . . . . . 177

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 179

Hardware Requirements for Junos OS Release 11.4 for SRX Series

Services Gateways and J Series Services Routers . . . . . . . . . . . . . . 179

Junos OS Release Notes for High-End SRX Series Services Gateways . . . . . . . . 182

New Features in Junos OS Release 11.4 for High-End SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Changes in Default Behavior and Syntax in Junos OS Release 11.4 for

High-End SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . 195

AppSecure Application Package Upgrade Changes . . . . . . . . . . . . . . . . 196

General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 196


IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServices

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . 200

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200


Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . 202

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 203

Internet Protocol Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

IPv6 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . 211

Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211


Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServices

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Aplication Layer Gateway(ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213



J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216


Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 216



Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218


Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219


Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219


IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220


SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

ErrataandChanges inDocumentation for JunosOSRelease 11.4 forHigh-End

SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 220

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 221

UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forHigh-End

SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Upgrade and Downgrade Scripts for Address Book Configuration . . . . 223

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 226

Hardware Requirements for Junos OS Release 11.4 for High-End SRX

Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229



Junos OS Release Notes for EX Series Switches

• New Features in Junos OS Release 11.4 for EX Series Switches on page 7

• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX Series

Switches on page 10

• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11

• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15

• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19

• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series

Switches on page 28

• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series

Switches on page 29

New Features in Junos OS Release 11.4 for EX Series Switches

This section describes new features in Release 11.4 of the Junos operating system (Junos

OS) for EX Series switches.

Not all EX Series software features are supported on all EX Series switches in the current

release. For a list of all EX Series software features and their platform support, see EX

Series Switch Software Features Overview .

New features are described on the following pages:

• Hardware on page 7

• Access Control and Port Security on page 8

• Ethernet Switching and Spanning Trees on page 8

• Infrastructure on page 8

• Layer 2 and Layer 3 Protocols on page 9

• Management and RMON on page 9

Hardware

• Support for enhanced feature licenses onEX3300 switches—EX3300 switches nowsupport enhanced feature licenses (EFLs). [SeeUnderstanding Software Licenses for EX

Series Switches.]

• EX4500 Virtual Chassis andmixed EX4200 and EX4500 Virtual Chassisenhancements—An EX4500 Virtual Chassis or a mixed EX4200 and EX4500 VirtualChassis can now include up to ten EX4500member switches. An EX4200 switch and

an EX4500 switch can now be configured in themaster and backup roles in the same

mixedEX4200andEX4500VirtualChassis.TheseVirtualChassisnowsupportnonstop

bridging (NSB) and Link Aggregation Control Protocol (LACP). [See EX3300, EX4200,

and EX4500 Virtual Chassis, Understanding Nonstop Bridging on EX Series Switches, and

Understanding Aggregated Ethernet Interfaces and LACP.]

• New line card support for EX8200Virtual Chassis—The following line cards can nowbe used in EX8200 switches that are members of an EX8200 Virtual Chassis:


Junos OS Release Notes for EX Series Switches

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ex-series-software-features-overview.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ex-series-software-features-overview.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ex-series-software-licenses-overview.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ex-series-software-licenses-overview.html

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/ex-series/virtual-chassis-4200-4500.html

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/ex-series/virtual-chassis-4200-4500.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/nonstop-bridging-ex-series.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/interfaces-lag-overview.html

• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)

• EX8200-2XS-40T (40-port RJ-45 with 4-port SFP and 2-port SFP+ line card)

• EX8200-48PL (48-port PoE+ 20-Gbps line card)

• EX8200-48TL (48-port RJ-45 20-Gbps line card)

• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)

[See Line Card Model and Version Compatibility in an EX8200 Switch.]

• New extra-scale EX8200 line card—A new extra-scale line card provides larger route

table sizes than its associated non-extra-scale model to store more IPv4 and IPv6

unicast routes. This extra-scale model is supported on standalone EX8200 switches

and on EX8200 Virtual Chassis.

• 40-port SFP+ line card (EX8200-40XS-ES)

[See Line Card Model and Version Compatibility in an EX8200 Switch.]

Access Control and Port Security

• PersistentMAC learning—PersistentMAC learning, also knownas stickyMAC, is a portsecurity feature that allows retention of dynamically learned MAC addresses on an

interface across restarts of the switch and interface-down events. Persistent MAC

address learning is disabled by default. By enabling persistentMAC learning alongwith

MAC limiting, you can allow interfaces to learnMAC addresses of trustedworkstations

and servers during the period fromwhen you connect the interface to your network

until the limit for MAC addresses is reached, and ensure that after this initial period

with the limit reached, new devices will not be allowed even if the switch restarts. The

alternatives tousingpersistentMAC learningwithMAC limitingare tostatically configure

each MAC address on each port or to allow the port to continuously learn newMAC

addresses after restarts or interface-down events. [See Understanding Persistent MAC

Learning (Sticky MAC).]

Ethernet Switching and Spanning Trees

• Distributed periodic packetmanagement (PPM) virtual routing and forwarding(VRF)support—VRF traffic is nowprocessedonEXSeries switches throughdistributedperiodic packet management (PPM). Distributed PPM processing is transparent to

users, and it allows the switches to better manage VRF traffic. [See Understanding

Distributed Periodic Packet Management on EX Series Switches.]

Infrastructure

• Nonstop active routing for Protocol Independent Multicast (PIM) on EX8200switches and EX8200 Virtual Chassis---Nonstop routing (NSR) for PIM is now

supportedonEX8200switchesandonEX8200VirtualChassis. Youcannowconfigure

NSR to enable the transparent switchover between themaster and backup Routing

Engines without having to restart PIM. [See Understanding Nonstop Active Routing on

EX Series Switches.]



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/line-cards-ex8200.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/line-cards-ex8200.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/port-security-persistent-mac-learning.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/port-security-persistent-mac-learning.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/routing-distributed-periodic-packet-management-ex-series.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/routing-distributed-periodic-packet-management-ex-series.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/nsr-ex-series.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/nsr-ex-series.html

• Enhancement for upgrades of loader software on EX8200 switches fromRelease10.3R2orearlier—Loader softwarecannowbeupgradedon thebackupRoutingEngine,thus reducing the downtime for the switch when upgrading software from Release

10.3R2 or earlier. For releases 10.4R3 or later, the loader software does not need to be

upgraded.

Layer 2 and Layer 3 Protocols

• OSPFv2 on EX3300 switches—EX3300 switches now support OSPFv2. [See Layer 3

Protocols Supported on EX Series Switches.]

• Routedmulticast traffic on virtual routing and forwarding (VRF) instances—Routedmulticast traffic is now supported on all VRF instances, not just the default instance.

[See Understanding Virtual Routing Instances on EX Series Switches].

Management and RMON

• Erasure of all user-created files on the switch—A newmedia option is now available

for the request system zeroize command. The request system zeroizemedia command

completely erasesall user-created files fromtheswitch, includingplain-textpasswords,

secrets, andprivate keys forSSH, local encryption, local authentication, IPsec, RADIUS,

TACACS+, and Simple Network Management Protocol (SNMP), replacing all

user-created data with zeros, and then reboots the switch, returning it to the factory

default configuration. (Without themediaoption, the requestsystemzeroize command

simply removes configuration and log files and resets key values, then reboots the

switch, returning it to the factory default configuration.)

CAUTION: Before running the request system zeroize or request system

zeroizemedia command, use the request system snapshot command to

back up the files currently used to run the switch to a secondary device.

[See request system zeroize.]

• Ethernet frame delaymeasurement—You can obtain Ethernet frame delaymeasurements (ETH-DM) on an EX Series switch. You can configure Operation,

Administration,andMaintenance(OAM)statements forconnectivity faultmanagement

(CFM) (IEEE802.1ag) to provideon-demandmeasurementsof framedelayand frame

delay variation (jitter). You can configure the frame delay measurements in either a

one-waymode or a two-way (round-trip) mode to gather frame delay statistics,

including simultaneous statistics frommultiple sessions. [See Understanding Ethernet

Frame Delay Measurements on Switches.]

• Support for IEEE 802.1ag Ethernet OAM on EX8200 switches—Support for the IEEE802.1ag standard for Operation, Administration, and Management (OAM) is now

available on EX8200 switches. The IEEE 802.1ag specification provides for Ethernet

connectivity fault management (CFM), which monitors Ethernet networks that might

comprise oneormore service instances for network-compromising connectivity faults.

[See Understanding Ethernet OAM Link Fault Management for an EX Series Switch.]


New Features in Junos OS Release 11.4 for EX Series Switches

http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/ex-series-l3-protocols-supported.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/ex-series-l3-protocols-supported.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/bridging-vrf-ex-series.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command-summary/request-system-zeroize.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ethernet-dm-cfm-oam.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/ethernet-dm-cfm-oam.html

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/lfm-ethernet-oam-ex-series-understanding.html

RelatedDocumentation

Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches

on page 10

•





Switches on page 28

• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches

on page 29

Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX Series Switches

This section lists the changes in default behavior and syntax in Junos OS Release 11.4 for

EX Series switches.


• The ingress-counting configuration statement in the [edit vlans] hierarchy has been

renamed l3-interfaces-ingress-counting. Youuse thisconfigurationstatement toactivate

a routed VLAN interface (RVI) input counter on a named VLAN on an EX8200 switch.

Fibre Channel over Ethernet

• On the EX4500 switch, App-FCoE and ETS values appear in output for the show dcbx

neighbors terse command but are not applicable to the switch; ignore these values.

Hardware

• If you configure an SFP uplink module to operate in 1-gigabit mode by including the

sfpplus statement at the [edit chassis fpc slotpic pic-number] hierarchy of the

configuration, the configuration has no effect and no warning or error message is

displayed. The sfpplus statement configures the operating mode for SFP+ uplink

modules only, in Junos OS Releases 10.4R2 and later.


New Features in Junos OS Release 11.4 for EX Series Switches on page 7•





Switches on page 28


on page 29



Limitations in Junos OS Release 11.4 for EX Series Switches

This section lists the limitations in Junos OS Release 11.4 for EX Series switches. If the

limitation is associated with an item in our bug database, the description is followed by

the bug tracking number.

For the most complete and latest information about known Junos OS defects, use the

Juniper online Junos Problem Report Search application at

http://www.juniper.net/prsearch.

Firewall Filters

• On EX3200 and EX4200 switches, when a very large number of firewall filters are

included in theconfiguration, itmight takea long time, possibly as longasa fewminutes,

for the egress filter rules to be installed. [PR/468806: This is a known software

limitation.]

• On EX3300 switches, if you add and delete filters with a large number of terms (on

theorder of 1000ormore) in the samecommitoperation, not all the filters are installed.

As a workaround, add filters in one commit operation, and delete filters in a separate

commit operation. [PR/581982: This is a known software limitation.]

• On EX8200 switches, if you configure an implicit or explicit discard action as the last

term in an IPv6 firewall filter on a loopback (lo0) interface, all the control traffic from

the loopback interface is dropped. Toprevent this, youmust configureanexplicitaccept

action. [This is a known software limitation.]

Hardware

• On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network

portsdonotblink to indicate that there is linkactivity if youset thespeedof thenetwork

ports to 10/100/1000Mbps. However, if you set the speed to 10 Gbps, the LEDs blink.

[PR/502178: This is a known limitation.]

• The Uplink Modules in EX3200 Switches topic notes the following behavior for the SFP

uplink module, which provides four ports for 1-gigabit small form-factor pluggable

(SFP) transceivers: “On an EX3200 switch, if you install a transceiver in an SFP uplink

module, a corresponding network port from the last four built-in ports is disabled. For

example, if you install an SFP transceiver in port 2 on the uplinkmodule (ge-0/1/2) on

24-portmodels, thenge-0/0/22 is disabled.Thedisabledport is not listed in theoutput

of show interface commands.”

Another note on the same page describes similar behavior of the SFP+ uplinkmodule:

“On an EX3200 switch, if you install a transceiver in an SFP+ uplink module when the

uplink module is operating in the 1-gigabit mode, a corresponding network port from

the last four built-in ports is disabled. For example, if you install an SFP transceiver in

port 2 on the uplink module (ge-0/1/2), then ge-0/0/22 is disabled. The disabled port

is not listed in the output of show interfaces commands.”

However, in both cases what actually occurs is that when you install the SFP uplink

moduleorexplicitly configure themodeonanSFP+uplinkmodule to 1-gigabit operating

mode and do not reboot the switch, the last four built-in ports on the switch are




http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/uplink-module-ex3200.html

disabled. If transceivers are installed in the uplink module, the corresponding built-in

network ports are not displayed in the output of show interfaces commands. The

workaround is to move all four links to the uplink module, or to reboot the switch for

correct initialization of the ports. [PR/686467: This is a known limitation.]

Infrastructure

• Do not use nonstop software upgrade (NSSU) to upgrade the software on an EX8200

switch from Junos OS Release 10.4 to Release 11.1 or later if you have configured the

PIM, IGMP, or MLD protocols on the switch. If you attempt to use NSSU, your switch

might be left in a nonfunctional state fromwhich it is difficult to recover. If you have

these multicast protocols configured, use the request system software add command

to upgrade the software on an EX8200 switch from Release 10.4 to Release 11.1 or

later. [This is a known software limitation.]

• On EX Series switches, the show snmpmibwalk etherMIB command does not display

any output, even though the etherMIB is supported. This occurs because the values

are not populated at the module level—they are populated at the table level only. You

can issue show snmpmibwalk dot3StatsTable, show snmpmibwalk dot3PauseTable,

and show snmpmibwalk dot3ControlTable commands to display the output at the

table level. [PR/442373: This is a known software limitation.]

• Momentary loss of an inter-Routing Engine IPCmessagemight trigger the alarm that

displays the message “Loss of communication with Backup RE”. However, no

functionality is affected. [PR/477943: This is a known software limitation.]

• On EX4500 switches, the maintenancemenu is not disabled even if you include the

lcdmaintenance-menu disable statement in the configuration. [PR/551546: This is a

known software limitation.]

• When you enable the filter-id attribute on the RADIUS server for a particular client,

none of the required 802.1X authentication rules are installed in the IPv6 database.

Therefore, IPv6 traffic on the authenticated interface is not filtered; only IPv4 traffic is

filtered on that interface. [PR/560381: This is a known software limitation.]

• OnEX8200switches, ifOAM link-faultmanagement (LFM) is configuredonamember

ofaVLANonwhichQ-in-Q tunneling is alsoenabled,OAMPDUscannotbe transmitted

to the Routing Engine. [PR/583053: This is a known software limitation.]

• If you have configured sFlow technology on an EX8200 switch that you are upgrading

from Junos OS Release 10.4 or Release 11.1 using nonstop software upgrade (NSSU),

disable sFlowtechnologybefore youperformtheupgrade. If youhaveconfiguredsFlow

technology on an EX8200 switch that you are upgrading from Junos OS Release 11.1

to Release 11.2 or later using nonstop software upgrade (NSSU), disable sFlow

technology before you perform the upgrade. Once the upgrade is complete, you can

reenable sFlow technology. If you do not disable sFlow technology before you perform

the upgrade with NSSU, sFlow technology will not work properly after the upgrade.

Using NSSU to upgrade from Release 11.2 or later to a later release has no impact on

sFlow technology functionality. [PR/587138: This is a known software limitation.]

• Whenyou reconfigure themaximumtransmissionunit (MTU)valueof anext hopmore

than eight times without restarting the switch, the interface uses the maximum value



of the eight previously configured values as the next MTU value. [PR/590106: This is

a known software limitation.]

• On EX8208 and EX8216 switches that have two Routing Engines, one Routing Engine

cannot be running JunosOSRelease 10.4 or laterwhile the other one is runningRelease

10.3 or earlier. Ensure that both Routing Engines in a single switch run either Release

10.4or later orRelease 10.3or earlier. [PR/604378:This is a knownsoftware limitation.]

Interfaces

• EX Series switches do not support IPv6 interface statistics. Therefore, all values in the

output of the show snmpmibwalk ipv6IfStatsTable command always display a count

of 0. [PR/480651: This is a known software limitation.]

• On EX8216 switches, a linkmight go downmomentarily when an interface is added to

a LAG. [PR/510176: This is a known software limitation.]

• On EX Series switches, if you clear LAG interface statistics while the LAG is down, then

bring up the LAG and pass traffic without checking for statistics, and finally bring the

LAG interface down and check interface statistics again, the statistics might be

inaccurate. As a workaround, use the show interfaces interface-name command to

check LAG interface statistics before bringing down the interface. [PR/542018: This is


• Youmust connect directly to the master Switch Fabric and Routing Engine (SRE)

module or Routing Engine (RE) module of the EX8200member switch to configure

Power over Ethernet (PoE) or Power over Ethernet Plus (PoE+) on an EX8200 Virtual

Chassis. You cannot configure PoE or PoE+ through the XRE200 External Routing

Engine.

To configure PoE or PoE+ on an EX8200member switch in an operational EX8200

Virtual Chassis:

1. Connect directly to the member switch that contains the ports on which you will

configure PoE or PoE+ using one of the following methods:

• Log in to the Virtual Chassis, then enter the request sessionmembermember-id

command to redirect the session to the member switch.

• Cable a terminal device to the console port (labeled CON) on themaster SRE or

REmodule. See Connecting an EX Series Switch to a Management Console.

2. Configure PoE or PoE+. See Configuring PoE (CLI Procedure).

J-Web Interface

• EX2200-C, EX3300, and EX6210 switches do not support switch connection and

configuration through the J-Web interface. [This is a known software limitation.]

• If four or more EX8200-40XS line cards are inserted in an EX8208 or EX8216 switch,

theSupport Informationpage(Maintain>CustomerSupport>Support Information)in the J-Web interfacemight fail to loadbecause the configurationmight be larger than

themaximum size of 5 MB. The error message "Configuration too large to handle" is

displayed. [PR/552549: This is a known software limitation.]



• The J-Web interfacedoesnot support role-basedaccesscontrol–it supportsonlyusers

in the super-user authorization class. So a userwho is not in the super-user class, such

asauserwith view-onlypermission, is able to launch the J-Web interfaceand is allowed

toconfigureeverything, but theconfiguration fails on the switch, and theswitchdisplays

access permission errors. [PR/604595: This is a known software limitation.]

Management and RMON

• On EX Series switches, an SNMP query fails when the SNMP index size of a table is

greater than 128bytes, because theNetSNMP tool does not support SNMP index sizes

greater than 128 bytes. [PR/441789: This is a known software limitation.]

• WhenMVRP is configured on a trunk interface, you cannot configure connectivity fault

management (CFM)onthat interface. [PR/540218:This isaknownsoftware limitation.]

• The connectivity-fault management (CFM) process (cfmd)might create a core file.

[PR/597302: This is a known software limitation.]

Multicast Protocols

• MLD snooping of IPv6multicast traffic is not supported. Layer 2 multicast traffic is

always flooded on the VLAN.

Virtual Chassis

• On an EX4500 Virtual Chassis, if you issue the ping command to the IPv6 address of

the virtual management Ethernet (VME) interface, the ping fails. [PR/518314: This is


• The automatic software update feature is not supported on EX4500 switches that

are members of a Virtual Chassis. [PR/541084: This is a known software limitation.]

• When an EX4500 switch becomes amember of a Virtual Chassis, it is assigned a

member ID. If that member ID is a nonzero value, then if that member switch is

downgraded to a software image that does not support Virtual Chassis, you cannot

change themember ID to 0. A standalone EX4500 switch must have amember ID of

0. The workaround is to convert the EX4500 Virtual Chassis member switch to a

standalone EX4500 switch before downgrading the software to an earlier release, as

follows:

1. Disconnect all Virtual Chassis cables from themember to be downgraded.

2. Convert the member switch to a standalone EX4500 switch by issuing the request

virtual-chassis reactivate command.

3. Renumber the member ID of the standalone switch to 0 by issuing the request

virtual-chassis renumber command.

4. Downgrade the software to the earlier release.


• When you add a newmember switch to an existing EX4200 Virtual Chassis, EX4500

Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis in a ring topology, a



member switch that was already part of the Virtual Chassis might become

nonoperational for several seconds. Themember switch will return to the operational

statewithnouser intervention.Network traffic to themember switch is droppedduring

the downtime. To avoid this issue, follow this procedure:

1. Cable one dedicated or user-configured Virtual Chassis port (VCP) on the new

member switch to the existing Virtual Chassis.

2. Power on the newmember switch.

3. Wait for the new switch to become operational in the Virtual Chassis. Monitor the

show virtual-chassis command output to confirm the new switch is recognized by

the Virtual Chassis and is in the Prsnt state.

4. Cable the other dedicated or user-configured VCP on the newmember switch to

the Virtual Chassis.




• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches

on page 10




Switches on page 28


on page 29

Outstanding Issues in Junos OS Release 11.4 for EX Series Switches

The following are outstanding issues in Junos OS Release 11.4R1 for EX Series switches.

The identifier following the description is the tracking number in our bug database.




Other software issues that are common to both EX Series switches and M, MX, and T

Series routers are listed in Issues in Junos OS Release 11.4 for M Series, MX Series, and T

Series Routers</topic-ref>


• If the bridge priority of a VSTP root bridge is changed such that this bridgewill become

a nonroot bridge, the transition might take more than 2minutes, and youmight see a

loop during the transition. [PR/661691]

• On EX Series and QFX Series switches, if you reconfigure a trunk port to access mode

(and if you perform the necessary dependent configurations to delete all but one of




the VLANs), or if you reconfigure an access port to trunk mode, VLAN Spanning Tree

Protocol (VSTP) instances might not converge properly, resulting in the formation of

a loop. As aworkaround, delete the VSTP configuration before reconfiguring the ports.

[PR/668449]

• When the sameMACaddress is learned on twoVLANS, an Ethernet switching process

(eswd) core file might be created. [PR/693942]

Infrastructure

• Thesystem log (syslog) files contain themessage "Juniper syscall not available". These

messages are harmless, and you can ignore them. [PR/519153]

• On EX8208 switches, when a line card that has no interface configurations and is not

connected to any device is taken offline using the request chassis fpc-slot slot-number

offline command, the Bidirectional Forwarding Detection process (bfd) starts and

stops repeatedly. The samebfdprocessbehavior occursona line card that is connected

toaLayer 3domainwhenanother line card that is on the sameswitchand is connected

to a Layer 2 domain is taken offline. [PR/548225]

• On switches on which a large number of VLAN interfaces are configured, when the

backup Routing Engine is rebooting and a large amount of traffic is being sent, OSPF

and IS-IS sessionsmightgodownandcomebackupon routedVLAN interfaces (RVIs).

[PR/603940]

• On switches onwhich a large number of VLAN interfaces are configured, BFD sessions

might go down and come back up on routed VLAN interfaces (RVIs) during a graceful

Routing Engine switchover (GRES) operation. [PR/612642]

• On EX8200 switches, if a graceful Routing Engine switchover occurs and you then

issue the restart routing command, a routing protocol process (rpd) core file might be

created. [PR/660739]

• On EX4500 switches, ICMPv6 packets might transit the Routing Engine even though

IPv6 is not configured. [PR/682953]

• On EX Series switches, when you are configuring DHCP option 82, the

use-interface-description statement, which uses the interface description rather than

the interface name (the default) in the circuit ID or remote ID value in the DHCP option

82 information, does not work. [PR/695712]

• When the switch is performing 802.1X (dot1x) authentication using MAC RADIUS, you

might see the following message in the system log (syslog) file: "kmem type temp

using 57344K, exceeding limit 57344K". [PR/697815]

• When PIM in configured in a routing instance and nonstop active routing (NSR) is

enabled, acore filemightbecreatedafter agracefulRoutingEngineswitchover (GRES)

operation. [PR/702796]



Interfaces

• When you configure themember interfaces of an aggregatedEthernet interface before

you configure the aggregated Ethernet (ae0) device using set commands from theCLI,

the aggregated Ethernet interface does not receive MAC updates. As a workaround,

configure theaggregatedEthernet interface first, thenconfigure themember interfaces.

[PR/680913]

J-Web Interface

• In the J-Web interface, in the Port Security Configuration page (Configure > Security >

Port Security), you are required to configure actionwhen you configureMAC limit even

though configuring an action value is not mandatory in the CLI. [PR/434836]

• In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration

page, the Global Information table in the BGPConfiguration page, or the Add Interface

window in the LACP Configuration page, if you try to change the position of columns

using the drag-and-dropmethod, only the column header moves to the new position

instead of the entire column. [PR/465030]

• When a large number of static routes is configured and you have navigated to pages

other than page 1 in the Route Information table on the Static Routingmonitoring page

in the J-Web interface (Monitor > Routing > Route Information), changing the RouteTable to query other routes refreshes the page but does not return to page 1. For

example, if you run a query from page 3 and the new query returns very few results,

the Results table continues to display page 3 and shows no results. To view the results,

navigate to page 1 manually. [PR/476338]

• In the J-Web interface, thedashboarddoesnotdisplay theuplinkportsor uplinkmodule

ports unless transceivers are plugged into the ports. [PR/477549]

• In the J-Web interface for EX4500 switches, the Port Configuration page (Configure> Interfaces > Ports), the Port Security Configuration page (Configure > Security >Port Security), and the Filters Configuration page (Configure > Security > Filters)display features that are not supported on EX4500 switches. [PR/525671]

• When you use anHTTPS connection in theMicrosoft Internet Explorer browser to save

a report from the following pages in the J-Web interface, the error message “Internet

Explorer was not able to open the Internet site” is displayed on the pages:

• Files page (Maintain > Files)

• History page (Maintain > Config Management > History)

• Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)

• Static Routing page (Monitor > Routing > Route Information)

• Support Information page (Maintain > Customer Support > Support Information)

• View Events page (Monitor > Events and Alarms > View Events)

[PR/542887]



• When you open a J-Web session using HTTPS, then enter a username and password

and click on the Login button, the J-Web interface takes 20 seconds longer to launch

and load the Dashboard page than it does if you use HTTP. [PR/549934]

• If you have accessed the J-Web interface using an HTTPS connection through the

Microsoft Internet ExplorerWeb browser, youmight not be able to download and save

reports from some pages on the Monitor, Maintain, and Troubleshoot tabs. Some

affected pages are at these locations:

• Maintain > Files > Log Files > Download

• Maintain > Config Management > History

• Maintain > Customer Support > Support Information > Generate Report

• Troubleshoot > Troubleshoot Port > Generate Report

• Monitor > Events and Alarms > View Events > Generate Report

• Monitor > Routing > Route Information > Generate Report

As a workaround, you can use the Mozilla FirefoxWeb browser to download and save

reports using an HTTPS connection. [PR/566581]

• If you have created dynamic VLANs by enablingMVRP from the CLI, then in the J-Web

interface, the following features do not work with dynamic VLANs and static VLANs:

• On thePort Configuration page (Configure> Interface>Ports)—Port profile (selectthe interface, clickEdit, andselectPortRole)or theVLANoption (select the interface,click Edit, and select VLANOptions).

• VLAN option on the Link Aggregation page (Configure > Interface > LinkAggregation)—Select the aggregated interface, click Edit, and click VLAN.

• Onthe802.1XConfigurationpage(Configure>Security>802.1x)—VLANassignmentin the exclusion list (click Exclusion List and selectVLANAssignment) or themoveto guest VLAN option (select the port, click Edit, select 802.1X Configuration, andclick the Authentication tab).

• Port security configuration (Configure > Security > Port Security).

• On the Port Mirroring Configuration page (Configure > Security > PortMirroring)—Analyzer VLAN or ingress or egress VLAN (click Add or Edit and thenadd or edit the VLAN).

[PR/669188]

• On EX4500 switches, you cannot configure BGP on the BGP Configuration page

(Configure > Routing > BGP). [PR/699308]

• In the J-Web interface, HTTPS access might work with an invalid certificate. As a

workaround, after you change the certificate, issue the restart web-management

command to restart the J-Web interface. [PR/700135]

• On EX4500 Virtual Chassis, if you use the CLI to switch from Virtual Chassis mode to

intraconnectmode, the J-Webdashboardmightnot list all theVirtualChassis hardware



components and the image of the master and backup chassis might not be visible

after an autorefresh occurs. [PR/702924]

• In the J-Web interface, if you disable a port whose link status is down, the J-Web

interface displays the incorrect link status for that interface. [PR/705836]

• In the J-Web interface, HTTPS access might work with an invalid certificate. As a

workaround, after you change the certificate issue the restart web-management

command to restart the J-Web interface. [PR/700135]

• In the J-Web interface on an EX4500 Virtual Chassis, if you configure four or more

Virtual Chassis members on the Support Information page (Maintain > CustomerSupport > Support Information), youmight see the error "Configuration of switch istoo large". [PR/704992]

• In a mixed-mode Virtual Chassis, the J-Web interface does not list the features

supported by the backup line card. Instead, it lists only the features supported by

master. [PR/707671]

Software Upgrade and Installation

• On EX3300 switches, when you load the factory default settings, the last two ports of

the uplink ports are configured as Virtual Chassis ports (VCPs). If you convert these

ports to normal network ports, they might not pass traffic. As a workaround, reboot

the switch after converting the ports. [PR/685300]

Virtual Chassis

• In an EX4200 Virtual Chassis, if a member other than themaster reboots from the

backup partition, the systemalarm "Host #Boot frombackup root" should clearwhen

that member is rebooted from the active partition. However, the master retains the

alarm until it is rebooted or until the mastership switches. [PR/694256]




on page 10




Switches on page 28


on page 29

Resolved Issues in Junos OS Release 11.4 for EX Series Switches

The following are the issues that have been resolved in Junos OS Release 11.4 for EX

Series switches. The identifier following the descriptions is the tracking number in our

bug database.






• Issues Resolved in Release 11.4R1 on page 20

Issues Resolved in Release 11.4R1

The following issueshavebeen resolved in JunosOSRelease 11.4R1. The identifier following

the description is the tracking number in our bug database.

Access Control and Port Security

• If storm control is enabled, the Link Aggregation Control Protocol (LACP)might stop

and then restartwhenLayer 2packetsare sentatahigh rateof speed.Asaworkaround,

disable storm control for all multicast traffic on aggregated Ethernet interfaces by

issuing the command set ethernet-switching-options storm-control interface

interface-name no-multicast. [PR/575560: This issue has been resolved.]

• When the username for 802.1X (dot1x) authentication is longer than 50 characters,

Junos OS truncates the username field. [PR/588063: This issue has been resolved.]

• The show lldp neighbors command displays interface descriptions instead of interface

names. [PR/602442: This issue has been resolved.]

• If you have configured 802.1X (dot1x) on an interface, then removed the 802.1X

configuration, 802.1X filters configured on that interface are not deleted. [PR/662196:

This issue has been resolved.]

• When you reboot or upgrade the software on a switch that has an active client

connected to an 802.1X interface, a VLAN core filemight be created. [PR/686513: This

issue has been resolved.]

Device Security

• If you configure storm control with the action shutdown, after you reboot the switch,

storm control is not enabled on all the ports on which it is configured. [PR/606054:



• On EX8200 switches, youmight not be able to configure private VLANs across the

switch. [PR/599729: This issue has been resolved.]

• An EX Series switch might take more than 20minutes to learn ARP entries, with the

result that incorrect Layer 2 next hops might be installed on the Packet Forwarding

Engine. This behavior can lead to inconsistent or intermittent communication issues

with devices that are connected to the switch. [PR/612605: This issue has been

resolved.]

• On EX8200 switches, a Q-in-Q service VLANmight not be removed when a packet

enters through a trunk port and exits from an access port. [PR/660247: This issue has

been resolved.]

• When BPDUs are forwarded to the best-effort queue instead of to the control queue,

MSTPmight not converge. [PR/665376: This issue has been resolved.]




• On an EX4200 switch, when you disable a Q-in-Q interface on which you have

configured a large number (more than 500) of VLAN swap rules, control traffic might

be affected for about 10minutes. During this time, the forwarding process (pfem) can

consume up to 98 percent of the CPU. The system resumes its normal state after the

forwarding process completes its processing. [PR/678792: This issue has been

resolved.]

• If you apply a large number of VLAN tags (approximately 1000 tags) and commit the

configuration after applying each individual tag, an mgd core file might be created.

[PR/680841: This issue has been resolved.]

• RSTPmight process BPDUs that do not comply with the IEEE standard, which might

lead to unintended spanning-tree convergence behavior. [PR/683829: This issue has

been resolved.]

• When you enable VLANs and Q-in-Q tunneling on a switch, the switch drops packets

and no MAC address learning occurs. [PR/685481: This issue has been resolved.]

Firewall Filters

• When you configure a firewall filter for the ethernet-switching family, a pfem core file

might be created. [PR/580454:This issue has been resolved.]

• On EX8200 switches, if you configure a discard term on an egress firewall filter, the

filtermightnotblockARPbroadcastpackets. [PR/672621:This issuehasbeen resolved.]

• For two-rate, three-color policers, the egress traffic might not flow at the configured

peak information rate (PIR). [PR/687564: This issue has been resolved.]

• When you configure VLAN ID translation when using Q-in-Q tunneling, if you apply a

tricolor marking (TCM) policer to the Q-in-Q interface, a Packet Forwarding Engine

(pfem) core file might be created. [PR/688438: This issue has been resolved.]

Hardware

• On an EX8200-40XS line card, if you insert an SFP transceiver into a port and then

disable autonegotiation on theport, the link does not comeup. [PR/609413: This issue

has been resolved.]

• When certain SFPs that are not attached to optical cables are inserted into an EX

Series switch, the switch does not generate low-power warnings or alarms. The

transceivers that exhibit this behavior have these vendor (Opnext) part numbers:

TRS2000EN-S201 (10G-SR), TRS2000EN-S211 (10G-SR), and TRS5020EN-S201

(10G-LR). Use the show chassis pic fpc-slot fpc-number pic-slot pic-number command

to display the vendor part numbers of the transceivers in your switch. [PR/613153:This


• When the switch temperature exceeds its threshold, alarms for EX-PFE2 Packet

Forwarding Enginesmight not be raised. The functionality of the switch is not affected.

[PR/614354:This issue has been resolved.]



• On EX6210 switches, traffic might not exit from the 10-Gigabit Ethernet interfaces on

the Routing Engines. [PR/669330: This issue has been resolved.]

• On EX4500 switches, the LCD panel might not list the ADM (administrative status) or

DPX (duplex) options in the Idle menu. Also, when you press Enter to cycle through

the status LEDmodes, youmight not be able to cycle through them. [PR/692341: This


High Availability

• On EX8200 Virtual Chassis, NSSUmight get stuck when you upgrade FPCs one by

one. As a workaround, configure upgrade groups for groups of FPCs, which you can

then upgrade simultaneously, with minimal traffic loss. [PR/669764: This issue has

been resolved.]

• When you perform a nonstop software upgrade (NSSU) operation on an EX8200

Virtual Chassis, if you do not include the reboot option when you request the NSSU to

have the switch perform an automatic reboot, the upgrademight hang indefinitely

after the Junos OS images have been pushed to the master Routing Engine.


Infrastructure

• The number of users reported by the show system users command does not include

Web users. [PR/572822: This issue has been resolved.]

• OnEX8200switches,packetsmightoccasionallybedroppedwithCRC32errors,which

is a result of Packet Forwarding Engine corruption. [PR/576934: This issue has been

resolved.]

• On EX2200 switches, if you configure the dhcp-option82 statement, the switch might

stop operating and a software forwarding process (sfid) core file might be created.


• During a reboot of anEX8200switch, the links on the interfaces of neighboring devices

might go up and down repeatedly even though the interfaces on the EX8200 switch

that connect to those interfaces on neighboring devices have not yet been initialized.


• When you press the tab key during an SFTP session, an sftp core filemight be created.


• On EX8200 switches or on XRE200 External Routing Engines, after routing and traffic

recover from a graceful Routing Engine switchover (GRES) operation, a core file might

be created after the Ethernet switching process (eswd) is restarted or after a line card

is taken offline. [PR/596013: This issue has been resolved.]

• If you move a host to a port associated with a different DHCP pool than the one with

which it was originally associated, the Preboot Execution Environment (PXE) boot

process might fail. [PR/596152: This issue has been resolved.]

• The system log (syslog) file might contain the following message: "/var: filesystem

full". [PR/600145: This issue has been resolved.]



• On EX Series switches, the request system snapshot commandmistakenly includes

the as-primary option. [PR/603204: This issue has been resolved.]

• When you commit an IPv6 configuration, the switch might display the db> prompt.


• On EX4200 switches, if you specify the source-address statement when configuring a

system log file, the switch might not send the correct source IP address to the syslog

server after the switch reboots. [PR/608724: This issue has been resolved.]

• In rare instances, a file system inconsistencymight exist if you shut down an EX Series

switch ungracefully. The result is a system panic, and a vmcore file is created. As a

workaround, use the nand-mediack utility for checking bad blocks in the NAND flash

memory. Review KB20570

(http://kb.juniper.net/InfoCenter/index?page=content&id=KB20570) from the Juniper

Technical AssistanceCenter for instructions about how touse this utility. [PR/609798:


• Packet loss of about 2 percent to 5 percent might occur for traffic destined to MAC

addresses starting with 03: or 09:. [PR/658631: This issue has been resolved.]

• When you upgrade Junos OS, traffic might not flow between two directly connected

interfaces. [PR/661131: This issue has been resolved.]

• If you have configured port 1 on theSFPuplinkmodule, the system log filesmight show

an error andmight get full within a fewminutes. [PR/661426: This issue has been

resolved.]

• If you remove or change interfaces soon after completing a nonstop software upgrade

(NSSU) operation, the multicast snooping process (mcsnoopd) might create a core

file. [PR/662065: This issue has been resolved.]

• If you delete a VLAN that has no VLAN ID, firewall filtersmight stop operating properly.


• WhenDHCPunicast packets are processedona server for the first time, theprocessing

timemight slow down, which might prevent the DHCP lease from getting renewed.


• Layer 3 next-hop entries might remain queued in the kernel of the backup Routing

Engine andmight never be installed in the forwarding table. [PR/670799: This issue

has been resolved.]

• Amemory leakmight occur, as evidenced by "jt_nh_multiple_init() returned error code

"(Nomemory:3)!" system log (syslog)messages. This leak disrupts traffic forwarding.


• OnEXSeries switches, issuing the request systemzeroize command reboots the switch

but fails to remove the configuration files in the /config and /var/db/config directories

and other user-created data. [PR/678403: This issue has been resolved.]

• The system log (syslog) files might contain storm-control–relatedmessages even

when storm control is not configured. [PR/679231: This issue has been resolved.]

• Themanagement process (mgd)might create a core file when reading very long lines.

For example, this can happen when the system displays a Junos OS configuration file



http://kb.juniper.net/InfoCenter/index?page=content&id=KB20570

that contains very long lines.Whenmgdcrashes, thecommand that youwereexecuting

does not complete and the following errors appear in themessages file:

%KERN-3-BAD_PAGE_FAULT: pid 57182 (mgd), uid 0: pc 0x8870ab92 got a writefault at 0x8488000, x86 fault flags = 0x6%KERN-6: pid 57182 (mgd), uid 0: exited on signal 11 (core dumped)


• The /var/log/wtmp file might become excessively large, and thus the switchmight run

out of disk spaceon the /varpartition. As aworkaround, use the request systemstorage

cleanup command, or manually delete and re-create the /var/log/wtmp file from the

shell. [PR/681369: This issue has been resolved.]

• When the same firewall filter and Layer 3 classifier is applied to two Layer 3 interfaces,

a Packet Forwarding Engine (pfem) core filemight be created. [PR/683747: This issue

has been resolved.]

• On EX2200 switches, when you have configured a syslog action on theme0 interface,

the switch might crash. [PR/694602: This issue has been resolved.]

• On EX3200 and EX4200 switches, transmit FIFO queue overruns might cause the

switch to stop working. [PR/695071: This issue has been resolved.]

Interfaces

• If you use the restart vrrp command to restart VRRP, a ppmdcore filemight be created.


• On EX4200 switches, when an uplink fails or is deactivated, failure detection is not

propagated to thedownlinkLAG interfaces. [PR/605468:This issuehasbeen resolved.]

• The Ethernet interfaces in a link aggregation group (LAG)might all have the same

current MAC address as the parent aggregated Ethernet (ae-) interface. [PR/681385:


• Youmight not be able to commit a configuration on an XRE200 External Routing

Engine, and the switch might display the error "could not save to juniper.save+".


• An EX4200 switch might stop forwarding traffic, and a Packet Forwarding Engine

(pfem) core file might be created. [PR/691504: This issue has been resolved.]

• When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd)

core file might be created. [PR/692126: This issue has been resolved.]

• On EX3200, EX4200, EX4500, EX6200, EX8208, and EX8216 switches, the root user

is allowed to telnet into the me0 interface, which does not comply with the default

Junos OS behavior, as documented in Connecting and Configuring an EX Series Switch

(CLI Procedure). [PR/695346: This issue has been resolved.]



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/configuration/ex-series-initial-configuration-setting-up-cli.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/configuration/ex-series-initial-configuration-setting-up-cli.html

IPv6

• On EX Series switches, IPv6 neighbor unreachability detection does not work. As a

workaround, use the clear ipv6 neighbor command to initiate neighbor detection.


J-Web Interface

• In the J-Web interface, the link status might not be displayed correctly on the Port

Configuration page or the LACP (Link Aggregation Control Protocol) Configuration

page if the Commit Options preference is set to "single commit" (the Validate

configuration changes option). [PR/566462: This issue has been resolved.]

• If the password has been removed from the authentication-order statement and the

external authentication server (TACACS+ or RADIUS) is down, youmight not be able

to log in to the J-Web interface. [PR/599613: This issue has been resolved.]

• In the J-Web interface,whenyouopen theStaticRoutingConfigurationpage(Configure> Routing > Static Routing) and click Edit to edit an IPv6 static route, the J-Webinterface displays the page for editing IPv4 addresses. As a workaround, use the CLI

to edit the IPv6 addresses. [PR/660613: This issue has been resolved.]

• In the J-Web interface, the report generated from the Events page (Monitor > Eventsand Alarms > View Events) does not show the description for the first four to five

events. As a workaround, view the description from the Events page or from the Junos

OS CLI. [PR/661752:This issue has been resolved.]

• On EX8200 Virtual Chassis that include an EX8216 switch in which an EX8200-40XS

line card is installed in slot 2, 3, or 4, the J-Web interface does not populate the line

card’s interfaces images in the expanded view of the dashboard. As a workaround,

install the line card in a slot other than one of these three. [PR/662231: This issue has

been resolved.]

• In the J-Web interface, on the Static Routing configuration page (Configure > Routing> Static Route > Add), you can configure only negative values and boundary valuesin the IP octet, but you cannot configure empty values. As a workaround, fill in all the

octets before committing the values. [PR/665435: This issue has been resolved.]

• In the J-Web interface, you cannot associate a filter name that contains spaces to a

VLAN on the VLAN Configuration page (Configure > Switching > VLAN). As aworkaround, go to the Filters Configuration page (Configure >Security > Filters), clickthe filter name to be associated, and then click Edit. In the popup window, use the

Association tab to associate a VLAN to the filter. [PR/677145: This issue has been

resolved.]

• In the J-Web interface, on the Redundant Trunk Group (RTG) Configuration page

(Configure > Switching > RTG), the Commit option is not enabled. As a workaround,select the Validate and commit configuration change option before modifying theconfiguration. [PR/677220: This issue has been resolved.]



• In the J-Web interface, the tooltip for Fan Imagemight not load in the dashboard. As

aworkaround, view the fan status on theChassis Information page (Monitor >SystemView > Chassis Information). [PR/677922: This issue has been resolved.]

• In the J-Web interface, the dashboard is not displayed. [PR/700274: This issue has

been resolved.]

Layer 2 and Layer 3 Protocols

• If a router or switch acting as both an autonomous system boundary router (ASBR)

andanareaborder router (ABR) is reachable throughboth abackbonearea anda stub

area, and if the advertisement through stub area advertising has a higher metric than

the advertisement through the backbone area, the external routes might be installed

incorrectly in the routing table. The routing table entry incorrectly shows that the next

hop is through the stub area. [PR/610813: This issue has been resolved.]

• When a BGP interface is flapping quickly, BGPmight unnecessarily withdraw prefixes

even when a good route to that prefix still exists. [PR/677191: This issue has been

resolved.]

• In the J-Web interface, if you discard any availableMIB profile, file, or predefined object

from accounting-options on the Point and Click CLI Configuration page (Configure >CLITools>PointandClickCLI), the J-Websession timesout.Asaworkaround,performthe same operation from the CLI. [PR/689261: This issue has been resolved.]

Management and RMON

• When you configure sFlowmonitoring technology, the switch allows you to configure

separate ingress and egress sample rates on the same interface. Configuring more

than one sample rate on an interface can lead to inaccurate results, so configure just

one rate per interface. [PR/582521: This issue has been resolved.]

• The dot1qVlanStaticUntaggedPortsMIB reports incorrect values for voice VLANs.


• When you configure both sFlowmonitoring technology and port mirroring features,

parity errors might occur, which might cause the switch to crash and then reboot.


• sFlow technology does not support IPv6 collectors, source IP addresses, or agent IDs.

In Junos OS releases previous to this one, configuration of these features was not

blocked. If your configuration includes any of these features, youmust remove them

before upgrading to this JunosOS release. [PR/659922: This issue has been resolved.]

• When you create a static ARP entry for an interface and then issue the show snmpmib

walk command, the static ARP entry is incorrectly identified in the command output

as a dynamic entry (3) rather than a static entry (4). [PR/662290: This issue has been

resolved.]

• When the system is being polled for SNMP statistics, the syslog message "Process

(930,mib2d) attempted to exceed RLIMIT_DATA: attempted 65552 KBMax 65536

KB"might appear repeatedly in the system log (syslog) file. This is the result of a

memory leak caused by the MIB2 process (mib2d). [PR/664475: This issue has been

resolved.]



• When you use the snmpwalk application to get information about switch interfaces,

it returns information about incorrect interfaces. [PR/664940: This issue has been

resolved.]

• For EX Series switches, sFlow technology and routing policy have been removed from

the extended feature license (EFL). An EFL is now required only for the following

features: Q-in-Q tunneling, BFD liveness detection, connectivity fault management

(CFM), IGMP, MSDP, OSPFv2, PIM and PIM sparse mode, real-time performance

monitoring (RPM), service VLANs (S-VLANs), unicast reverse path forwarding (RPF),

virtual routers, and VRRP. [PR/672346: This issue has been resolved.]

Multicast Protocols

• Youmight not be able to delete stale multicast routes even though no corresponding

(S, G) traffic exists. [PR/674419: This issue has been resolved.]

• If interfaces go up and down frequently, a memory leak might occur and cfmd and

mcsnoopd core files might be created. [PR/688356: This issue has been resolved.]

• Approximately every 300 seconds, a multicast route entry is deleted and added back

again, resulting in a traffic loss of about 1-3 seconds. [PR/698129: This issue has been

resolved.]

Power over Ethernet

• On EX2200-C switches, two problemsmight occur when devices powered by Power

over Ethernet (PoE) are connected to the switch and the switch reboots. The first

problem occurs when PoE is enabled on the switch interfaces. The powered devices

connected to those interfaces drawpowerwhile the switch is rebooting, and then after

the switch stabilizes, the powered devices reboot twice. The second problem occurs

when PoE is disabled on the switch interfaces. The powered devices connected to

those interfaces draw power while the switch is rebooting, and then after the switch

stabilizes, the powered devices reboot twice and then shut down. As a workaround, if

you do not want the powered devices to reboot, connect them to the interfaces after

the switch has stabilized after its reboot. [PR/675971: This issue has been resolved.]

Software Installation and Upgrade

• On an XRE200 External Routing Engine, the rescue configuration might not get

synchronized with the backup XRE200 External Routing Engine. [PR/687797: This


Virtual Chassis

• On a Virtual Chassis that is configured with a private VLAN (PVLAN) and a link

aggregation group (LAG), if the Virtual Chassis loses one of its members, traffic flow

might not resumeproperly across the remaining LAGmembers, resulting in traffic loss.


• On EX8200 Virtual Chassis, the link status of an aggregated Ethernet (ae-) interface

managed by LACP goes down and comes back up when a graceful Routing Engine

switchover (GRES) operation is performed between the XRE200 External Routing



Engines. This switchover might have been initiated from the Junos OS CLI or because

of a failure of the master Routing Engine. [PR/599772: This issue has been resolved.]

• On EX8200 Virtual Chassis running a Junos OS image with resilient dual-root

partitioning, when the kernel synchronization process (ksyncd) on the backup Routing

Engines fails or when themaster and backup Routing Engines are out of sync, both

conditions that create a ksyncd core file, it might take more than 12 minutes for the

core file to be created. During this time, the Virtual Chassis is highly unstable: the

Routing Engine CPU is at 100 percent; all control protocols, such as BFD, IS-IS, and

OSPF, are constantly stopping and restarting; and theCLI prompt is not displayedafter

you type a CLI command. This issue does not occur with nonresilient dual-root

partitioning Junos OS images. [PR/609061: This issue has been resolved.]

• On EX4200 Virtual Chassis, if you configure an interface hold time, when you insert or

remove a transceiver, the chassis manager process (chassism)might create a core

file. As aworkaround, delete the hold-time statement from the interface configuration.


• OnEX8200Virtual Chassis, if the topology is formed such that ingressmulticast traffic

is routed first to the rendezvous point (RP) and then returns to the Virtual Chassis for

egress via Layer 2 multicast, the multicast traffic is forwarded only to receivers

connected to the Virtual Chassis member in which the returnedmulticast traffic is

received. Multicast traffic is not forwarded to other receivers in other Virtual Chassis

members. [PR/666355: This issue has been resolved.]

• OnEX8200Virtual Chassis, GRE-tunneled traffic is not transmittedacross the chassis.

For possible workarounds, contact JTAC. [PR/669513: This issue has been resolved.]

• In Virtual Chassis composed of both EX4200 and EX4500 switches, you cannot

configure PoE. [PR/671980: This issue has been resolved.]

• WhenEX4200andEX4500switches are interconnected into the sameVirtual Chassis

to form amixed EX4200 and EX4500 Virtual Chassis, the switches might fail to form

a Virtual Chassis. [PR/681072: This issue has been resolved.]




on page 10




Switches on page 28


on page 29

Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series Switches

• Changes to the Junos OS for EX Series Switches Documentation on page 29

• Errata on page 29



Changes to the Junos OS for EX Series Switches Documentation

There are no changes to the documentation for Junos OS Release 11.4R1 for EX Series

switches.

Errata

There are no outstanding issues with the documentation for Junos OS Release 11.4R1 for

EX Series switches.




on page 10





on page 29

Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches

This section describes how to upgrade to or downgrade from Junos OS Release 11.4.

NOTE: If you are upgrading from Release 10.4R2 or earlier, youmust installnew loader software as part of the upgrade process. This special softwareupgrade takes a little more time to complete than a standard upgrade. See“Upgrading from Junos OS Release 10.4R2 or Earlier” on page 31 forinstructions.

These instructions discuss the following subjects:

• Upgrade and Downgrade Support Policy for Junos OS Releases on page 29

• Upgrading from Junos OS Release 10.4R3 or Later on page 30

• Upgrading from Junos OS Release 10.4R2 or Earlier on page 31

• Downgrading to Junos OS Release 10.4R2 or Earlier on page 45

• Downgrading to an Earlier Junos OS Release on page 46

• Upgrading EX Series Switches Using NSSU on page 46

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that spanmore than three Junos OS releases at

a time is not provided, except for releases that are designated as Extended End-of-Life

(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can

upgrade directly from one EEOL release to the next EEOL release even though EEOL

releases generally occur in increments beyond three releases.



You can upgrade or downgrade to the EEOL release that occurs directly before or after

the currently installed EEOL release, or to twoEEOL releases before or after. For example,

JunosOSReleases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from JunosOS

Release 10.0 toRelease 10.4 or even from JunosOSRelease 10.0 toRelease 11.4. However,

you cannot upgrade directly from a non-EEOL release that is more than three releases

ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3

(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS

Release 11.4 to Junos OS Release 10.3.

To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases

before or after, first upgrade to the next EEOL release and then upgrade or downgrade

from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html .

Upgrading from Junos OS Release 10.4R3 or Later

This section contains the procedure for upgrading from Junos OS Release 10.4R3 or later

to Junos 11.4. You can use this procedure to upgrade Junos OS on a standalone EX Series

switch with a single Routing Engine and to upgrade all members of a Virtual Chassis or

a single member of a Virtual Chassis.

Toupgrade JunosOSonastandaloneEX6200switchorEX8200switchwithdualRouting

Engines, see Installing Software on an EX Series Switch with Redundant Routing Engines

(CLI Procedure).

On EX8200 switches and EX8200 Virtual Chassis, you can also use nonstop software

upgrade (NSSU) to upgrade Junos OS as described in “Upgrading EX Series Switches

Using NSSU” on page 46.

To upgrade Junos OS on a switch with a single Routing Engine or on a Virtual Chassis:

1. Download the software packageasdescribed inDownloadingSoftwarePackages from

Juniper Networks.

2. (Optional) Back up the current software configuration to a second storage option.

See the Junos OS Installation and Upgrade Guide for instructions.

3. (Optional) Copy the software package to the switch. We recommend that you use

FTP to copy the file to the /var/tmp directory.

This step is optional because you can also upgrade Junos OS using a software image

that is stored at a remote location.

4. Install the new software package on the switch:

user@switch> request system software add package

Replace packagewith one of the following paths:

• /var/tmp/package.tgz—For a software package in a local directory on the switch

• ftp://hostname/pathname/package.tgz or

http://hostname/pathname/package.tgz—Forasoftwarepackageona remoteserver



http://www.juniper.net/support/eol/junos.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex8200-software-installing-dual-routing-engines-cli.html


http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/installation/software-packages-downloading.html


http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/software-installation-and-upgrade/software-installation-and-upgrade.html

package.tgz is the name of the package; for example,

jinstall-ex-4200-11.4R1.8-domestic-signed.tgz.

To install software packages on all switches in a mixed EX4200 and EX4500 Virtual

Chassis, use the set option to specify both the EX4200 package and the EX4500

package:

user@switch> request system software add set [package package]

To install the software package on only onemember of a Virtual Chassis, include the

member option:

user@switch> request system software add packagemembermember-id

Other members of the Virtual Chassis are not affected. To install the software on all

members of the Virtual Chassis, do not include themember option.

NOTE: To abort the installation, do not reboot your device. Instead, finishthe installation, then issue the request system software delete package.tgz

command, where package.tgz is the name of the package; for example,

jinstall-ex-8200-11.4R1.8-domestic-signed.tgz. This is the last chance to

stop the installation.

5. Reboot the switch to start the new software:

user@switch> request system reboot

To reboot only a single member in a Virtual Chassis, include themember option:

user@switch> request system rebootmember

6. After the reboot has completed, log in and verify that the new version of the software

is properly installed:

user@switch> show version

Upgrading from Junos OS Release 10.4R2 or Earlier

Because of the introduction of resilient dual-root partitions in Release 10.4R3, upgrading

to Junos OS Release 11.4 from Release 10.4R2 or earlier requires a different procedure

than the one for upgrading fromRelease 10.4R3 or later. The dual-root partitions feature

incorporates enhancements that add additional steps when you upgrade from a release

thatdoesnot support resilientdual-rootpartitions toone thatdoes.Onceyouare running

a release that supports resilient dual-root partitions, suchasRelease 11.4, future upgrades

will not require these additional steps.



The following points summarize the differences between this upgrade and previous

upgrades:

• The disk partitions are automatically reformatted to four partitions during the reboot

of the switch that completes the JunosOSupgrade. The reformat increases the reboot

time for EX8200 switches by 10 to 25minutes per Routing Engine. For other switches,

the increase in boot time is 5 to 10minutes.

• The configuration files in /config are saved in volatile memory before the reformat and

then restored after the reformat. However, the files in /var are not saved and are lost

after the upgrade.

NOTE: We recommend that you copy your data files to external mediausing the request system snapshot command before you perform the

upgrade. Files in the /var directory, such as log files and user /home

directories, are not saved. In addition, a power failure during the rebootcould cause the configuration files to be lost.

• Youmust upgrade the loader software. You upgrade the loader software by installing

the loader software package from the CLI.

NOTE: Toobtain the loader softwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the

version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.

On switches other than EX8200 switches, upgrading the loader software does not

significantly increase upgrade time because you can complete the upgrade of both

Junos OS and the loader software with a single reboot.

On EX8200 switches, upgrading the loader software requires an additional reboot per

Routing Engine because of the way the loader software is stored in the flash memory.

On EX8200 switches only, you can verify that the loader software requires upgrading

before you perform the upgrade—if the loader software does not need upgrading, the

additional reboot per Routing Engine is not required.

NOTE: If you upgrade to Release 11.4 and do not upgrade the loadersoftware, the switch will come up andwill function normally. However, ifthe switch cannot boot from the active root partition, it will not be able totransparently boot from the alternate root partition.

Table 1 on page 33 lists the installation packages required to upgrade the loader

software.



http://www.juniper.net/support/products/junos/dom/

Table 1:Required InstallationPackagesforUpgradingtheLoaderSoftware

Installation PackagePlatform

jloader-ex-2200-11.3build-signed.tgzEX2200 switch





The loader software does not need to be upgraded.XRE200 External Routing Engine

• When you upgrade to a release that supports resilient dual-root partitions from one

that does not, the upgrade process automatically copies the contents of the primary

root partition to the alternate root partition at the endof the upgradeprocess. Because

the resilient dual-root partitions feature enables the switch to boot transparently from

the alternate root partition, we recommend that you use the request system snapshot

command to copy the contents of the primary root partition to the alternate root

partition after all Junos OS upgrades to releases that include dual-root partitions.

NOTE: If youupgrade the loadersoftware inaseparatestepafter youupgradeJunos OS, users might see the followingmessage when they log in to theswitch:

At least one package installed on this device has limited support

This message can be safely ignored.

You can permanently remove this message by deleting the loader softwarepackage and rebooting the system. For example, on an EX4200 switch:

user@switch> request system software delete jloader-ex-3242Unmounted /packages/mnt/jloader-ex-3242-11.3 ...

user@switch> request system rebootReboot the system ? [yes,no] (no) yes

The followingpages includemoredetailed instructions forperformingasoftwareupgrade

from Release 10.4R2 or earlier:

• DeterminingWhether the Loader Software Needs Upgrading on EX8200 Switches

and EX8200 Virtual Chassis on page 34

• Installing theLoaderSoftwareand JunosOSonEX2200,EX3200,StandaloneEX4200,

and Standalone EX4500 Switches on page 35

• Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis on page 36



• Upgrading the Loader Software on EX4500 Virtual Chassis and Mixed EX4200 and

EX4500 Virtual Chassis on page 38

• Upgrading Junos OS and the Loader Software on Standalone EX8200

Switches on page 39

• Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis on page 42

DeterminingWhether the Loader Software Needs Upgrading on EX8200 Switches andEX8200 Virtual Chassis

Before you begin the software upgrade on an EX8200 switch or an EX8200 Virtual

Chassis, determine whether the loader software needs upgrading. It is possible that a

switch running a JunosOS release earlier than Release 10.4R3 has a version of the loader

software installed that supports resilient dual-root partitions. For example, the switch

might have been shipped from the factory with a Junos OS release earlier than Release

10.4R3butwithaversionof the loader software that supports resilientdual-rootpartitions.

Or the switch might have been downgraded from a Junos OS release that supports

resilient dual-root partitions but still retain a version of the loader software that supports

resilient dual-root partitions.

NOTE: This procedure is available only on EX8200 switches. On all otherswitches, youmust upgrade your loader software.

To determine whether the loader software needs upgrading:

1. Determine the version of the loader software:

user@switch> show chassis firmwarePart Type VersionFPC 6 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 7 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4

NOTE: OnanEX8200Virtual Chassis, you cannot execute this commandon themaster external Routing Engine. The commandmust be executedon eachmember switch:

1. From themaster external Routing Engine, start a shell session on themember switch. For example:

user@external-routing-engine> request sessionmember 0

2. Enter the CLI and execute the show chassis firmware command.

3. Repeat these steps for the other member switch.



The loader software version appears after the timestamp for U-Boot 1.1.6. In the

preceding example, the version is 3.5.0. (Ignore the 1.1.6 version information inU-Boot

1.1.6—it does not indicate whether or not the version of the loader software supports

resilient dual-root partitioning.)

2. If the loader software version is3.5.0or later onEX8200switches, your loader software

does not need upgrading to support resilient dual-root partitioning. To upgrade to

Release 11.4, install Junos OS, following the standard installation procedures. See

“Upgrading from Junos OS Release 10.4R3 or Later” on page 30.

3. If the loader software version is earlier than 3.5.0, you must upgrade your loader

software. Follow the instructions in “Upgrading Junos OS and the Loader Software

onStandaloneEX8200Switches” onpage39or “Upgrading JunosOSand the Loader

Software on EX8200 Virtual Chassis” on page 42.

Installing the Loader Software and JunosOSonEX2200, EX3200, Standalone EX4200,and Standalone EX4500 Switches

To upgrade the loader software and JunosOSon EX2200, EX3200, standalone EX4200,

and standalone EX4500 switches:

1. Download the loader software package and the Junos OS package from the Juniper

Networks website as described in Downloading Software Packages from Juniper

Networks. Place the software packages on an internal software distribution site or in

a local directory on the switch. We recommend using /var/tmp as the local directory

on the switch.

NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the


2. Install the loader package:



• For a software package in the /var/tmp directory on the

switch—/var/tmp/package.tgz

• For a software package on a remote server:

• ftp://hostname/pathname/package.tgz

• http://hostname/pathname/package.tgz

where package.tgz is, for example, jloader-ex-3242-11.3build-signed.tgz.

3. Install the Junos OS package, following the same procedure you used to install the

loader software package.

4. Reboot the switch:







If you are monitoring the reboot from the console, you seemessages similar to the

following during the partition reformat:

Disk needs to be formatted in order to proceedSaving the configuration in memory before formatting the diskFILE SYSTEM CLEAN; SKIPPING CHECKSclean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)32+0 records in32+0 records out16384 bytes transferred in 0.033161 secs (494075 bytes/sec)******* Working on device /dev/da0 *******...Restoring configuration

5. Verify that the loader software has been upgraded:

user@switch> show chassis firmwarePart Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 28 2011 - 04:09:20)1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4

The U-Boot version that follows the date information must be 1.0.0 or later.

6. Verify that Junos OS has been upgraded:


Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis

You perform the upgrade of the loader software and Junos OS on an EX4200 Virtual

Chassis fromtheVirtualChassismaster switch. Themaster switchpushes the installation

packages to all Virtual Chassis members.

NOTE: It is required that a Virtual Chassis has the same version of Junos OSinstalled on all members in the Virtual Chassis. It is not recommended toinstall different versions of Junos OS on individual members of a VirtualChassis, or to upgrademembers individually. Upgrading individualmembersof a Virtual Chassis is not recommended, and could cause Virtual Chassisinstability if runningmultiple Junos OS versions on individual members in aVirtualChassis. SeeUnderstandingAutomaticSoftwareUpdateonEX4200and

EX4500 Virtual Chassis Member Switches and Replacing a Member Switch of

an EX4200 or EX4500 Virtual Chassis Configuration (CLI Procedure).



http://www.juniper.net/techpubs/en_US/junos/topics/concept/virtual-chassis-ex4200-software-automatic-update.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/virtual-chassis-ex4200-software-automatic-update.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/virtual-chassis-ex4200-member-replacing-cli.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/virtual-chassis-ex4200-member-replacing-cli.html

To upgrade the loader software and Junos OS:




a local directory on themaster switch. We recommend using /var/tmp as the local

directory on themaster switch.



2. Log in to the master of the Virtual Chassis.

3. Install the loader software package:

• To install the package on all members of the Virtual Chassis:


• To install the package on a single member of the Virtual Chassis:









4. Install the Junos OS package, following the same procedure you used to install the

loader software package.

5. Reboot the Virtual Chassis (to reboot a single member, use themember option):


If you are monitoring the reboot from the console, you seemessages similar to the

following during the disk reformat:

Disk needs to be formatted in order to proceedSaving the configuration in memory before formatting the diskFILE SYSTEM CLEAN; SKIPPING CHECKSclean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)32+0 records in32+0 records out16384 bytes transferred in 0.033161 secs (494075 bytes/sec)******* Working on device /dev/da0 *******






.

.

.Restoring configuration

6. Verify that the new version of the loader software is on all members of the Virtual

Chassis:

user@switch> show chassis firmwarefpc0:--------------------------------------------------------------------------Part Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4


7. Verify that the new Junos OS release is on all members of the Virtual Chassis:


Upgrading the Loader Software on EX4500 Virtual Chassis andMixed EX4200 andEX4500 Virtual Chassis

To create an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis,

youmust upgrade Junos OS on themember switches to Release 11.1 or later before you

form the Virtual Chassis. For instructions on how to upgrade Junos OS and the loader

software on themember switches before they are part of the Virtual Chassis, see

“Installing the Loader Software and JunosOSonEX2200, EX3200, Standalone EX4200,

and Standalone EX4500 Switches” on page 35.

If youdidnot upgrade the loader softwareononeormoreof themember switchesbefore

you formed theVirtualChassis, youcanuse the followingprocedure toupgrade the loader

software onmember switches after the Virtual Chassis is formed.

To upgrade the loader software:

1. Download the loader software package from the Juniper Networks website as

described inDownloadingSoftwarePackages fromJuniperNetworks. Place thesoftware

packages on an internal software distribution site or in a local directory on themaster

switch. We recommend using /var/tmp as the local directory on themaster switch.



For a mixed EX4200 and EX4500 Virtual Chassis, youmust download the loader

packages for both switches.

2. Log in to the master of the Virtual Chassis.

3. Install the loader software package:





• To install the package on all members of an EX4500 Virtual Chassis:


• To install the package on all members of a mixed EX4200 and EX4500 Virtual

Chassis:

user@switch> request system software add set [ex4200-package ex4500-package]

• To install the package on a single member of the Virtual Chassis:


4. Reboot the Virtual Chassis (to reboot a single member, use themember option):


5. Verify that the correct version of the loader software is on all members of the Virtual

Chassis:

root@switch> show chassis firmwarefpc0:--------------------------------------------------------------------------Part Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4


Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches

On EX8200 switches, youmust upgrade Junos OS before you can upgrade the loader

software.

The loader software for an EX8200 Routing Engine resides in two flash memory banks.

One bank acts as the primary bank and the Routing Engine boots from it. The other bank

is the backup bank—if the Routing Engine cannot boot from the primary bank, it boots

from the backup bank. When you upgrade the loader software, the upgraded software

is installed in the backup bank, which then becomes the new primary bank. Thus the

primary and backup banks alternate each time you upgrade the loader software, with

the primary bank containing the most recently installed version of the software and the

backup bank containing the previous version.

To upgrade the loader software on an EX8200 Routing Engine, youmust perform the

upgrade twice: once for eachbank. Eachupgrade requires a reboot of theRoutingEngine.

NOTE: If you do not upgrade the loader software in both banks and theRouting Engine boots from the previous version of the loader software in thebackup bank, the Routing Engine will not be able to boot transparently fromthe alternate root partition if it attempts to do so because it cannot bootfrom the primary root partition.



For an EX8200 switch with redundant Routing Engines, youmust upgrade the loader

software on both Routing Engines.

To upgrade the Junos OS and loader software on an EX8200 switch:

1. Download and install the Junos OS package on each Routing Engine as described in

Installing Software on an EX Series Switch with Redundant Routing Engines (CLI

Procedure) or Installing Software on an EX Series Switch with a Single Routing Engine

(CLI Procedure).

2. Download the loader software package from the Juniper Networkswebsite and place

the software package on an internal software distribution site or in a local directory

on the switch. We recommend using /var/tmp as the local directory on the switch.



3. Log in to the switch and enter the shell. We recommend using a console connection.

4. (For a switchwith a single routing engine, skip this step.) Enter the CLI, and determine

which is the master and which is the backup Routing Engine:

user@switch> show chassis routing-engine

NOTE: If you do not have GRES enabled, you will not be able to use thiscommand to determine which is themaster and which is the backupRouting Engine. You can instead enter the shell and use this command todeterminemastership:

% sysctl hw.re.mastership

A return of the value 1means the Routing Engine onwhich you are logged

in is themaster.A returnof thevalue0means theRoutingEngineonwhich

you are logged in is the backup.

5. Enter the configurationmodeanddisable graceful Routing Engine switchover (GRES)

and nonstop active routing (NSR):

user@switch# deactivate chassis redundancy graceful-switchoveruser@switch# deactivate routing-options nonstop-routing

6. Login to the backup Routing Engine:

user@switch> request routing-engine login other-routing-engine









http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-installing-single-routing-engine-cli.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-installing-single-routing-engine-cli.html








8. Determine the primary bank and the version of the loader software in the bank:

% kenv | grep boot.primary.bankboot.primary.bank="0"% kenv | grep boot.verboot.ver="2.4.0"

9. Upgrade the firmware:

user@switch> request system firmware upgrade scbFirmware upgrade initiated....Please wait for ~2mins for upgrade to complete....

10. After waiting for a couple of minutes, reboot the Routing Engine:


11. Enter the shell and verify that the previous backup bank is now the primary bank and

that it contains the upgraded loader software:

% kenv | grep boot.primary.bankboot.primary.bank="1"% kenv | grep boot.verboot.ver="3.5.0"

12. To install the loader software in the current backup bank, repeat Step 7 through Step

11.

NOTE: If you installed the loader software package from /var/tmp, you

might need to copy the loader software package to /var/tmp again before

you can repeat Step 7through Step 11 because it is sometimes removedafter each installation.

13. (Optional) The following messagemight be displayed when a user logs in to the

system:

--- JUNOS 11.4R1.9 built 2011-03-19 22:06:32 UTCAt least one package installed on this device has limited support.Run 'file show /etc/notices/unsupported.txt' for details..

This message can be safely ignored. It appears as a result of upgrading the loader

software after you upgrade Junos OS.

You can permanently remove thismessage by removing the loader software package

and rebooting the system:



user@switch> request system software delete jloader-ex-8200Unmounted /packages/mnt/jloader-ex-8200-11.3 ...


14. From the configuration mode, re-enable graceful Routing Engine switchover (GRES)

and nonstop active routing (NSR):

user@switch# activate chassis redundancy graceful-switchoveruser@switch# activate routing-options nonstop-routing

15. After completing the upgrade of the loader software on the backup Routing Engine,

perform amaster switchover so the backup Routing engine becomes themaster:

user@switch> request chassis routing-enginemaster switchToggle mastership between routing engines ? [yes,no] (no) yes

Resolving mastership...Complete. The other local routing engine becomes the master.{backup}user@switch>

16. Follow the same procedure for upgrading the loader software that you used for the

original backup Routing Engine (Step 3 through Stop 14).

Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis

On EX8200 Virtual Chassis, youmust upgrade Junos OS before you can upgrade the

loader software.

To upgrade an EX8200 Virtual Chassis, youmust upgrade the loader softwad to be

upgraded.

NOTE: It is required that a Virtual Chassis has the same version of Junos OSinstalled on all members in the Virtual Chassis. It is not recommended toinstall different versions of Junos OS on individual members of a VirtualChassis, or to upgrademembers individually. Upgrading individualmembersof a Virtual Chassis is not recommended, and could cause Virtual Chassisinstability if runningmultiple Junos OS versions on individual members in aVirtual Chassis.

As described in “Upgrading Junos OS and the Loader Software on Standalone EX8200

Switches” on page 39, the loader software for a Routing Engine resides in two flash

memory banks and both banks must be upgraded with the new loader software.



To upgrade the Junos OS and the loader software:




a localdirectoryon themaster externalRoutingEngine.We recommendusing /var/tmp

as the local directory.



2. Log in to the master external Routing Engine.

3. Install the Junos OS package:

user@external-routing-engine> request system software add package







where package.tgz is, for example, jinstall-ex-xre200-11.3R1.8-domestic-signed.tgz.

4. Reboot the Virtual Chassis:

user@external-routing-engine> request system rebootReboot the system ? [yes,no] (no) yes

5. After the reboot completes, verify that Junos OS has been upgraded on all members:

user@external-routing-engine> show version

6. DisablegracefulRoutingEngine switchover (GRES)andnonstopactive routing (NSR):

user@switch> deactivate chassis redundancy graceful-switchoveruser@switch> deactivate routing-options nonstop-routing


user@external-routing-engine> request system software add package

Replace packagewith the path to the loader package.

The package is pushed to eachmember switch from themaster external Routing

Engine.






8. Upgrade the loader software in the current backup banks on both Routing Engines on

amember switch (member 0 is used in the command examples):

a. Enter the CLI and log in to the member switch:


b. Upgrade the firmware in the backup bank on themaster Routing Engine:


c. Wait a couple of minutes and then reboot the Routing Engine:


d. Upgrade the firmware in the current backup bank of the backup Routing Engine

(now themaster) by repeating Step a through Step c.

Because the loader software has been upgraded in the backup banks, they now

become the primary banks.

9. After the reboots of the Routing Engines complete, log in to themember switch again

and verify that the loader software has been upgraded in the primary banks:

user@external-routing-engine> request sessionmember 0user@switch> show chassis firmwarePart Type VersionFPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00) loader FreeBSD/PowerPC U-Boot bootstrap loaderRouting Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4

The U-Boot version that appears after the build date and timemust be 3.5.0 or later.

10. Upgrade the loader software in the new backup banks on both Routing Engines on

themember switch:

a. Upgrade the firmware in the backup bank on themaster Routing Engine:


b. Perform amaster switchover to make the backup Routing Engine the master

Routing Engine:

user@switch> request chassis routing-enginemaster switch

Toggle mastership between routing engines ? [yes,no] (no) yes

Youare returned to themaster externalRoutingEngineafter themaster switchover.

c. Log back in to the member switch:




d. Upgrade the firmware in the backup bank on the newmaster Routing Engine:


e. Verify that the loader software has been upgraded in the new primary banks on

both Routing Engines:

user@switch> show chassis firmwarePart Type VersionFPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00) loader FreeBSD/PowerPC U-Boot bootstrap loaderRouting Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4

f. Exit to the master external Routing Engine.

11. Re-enable graceful Routing Engine switchover (GRES) and nonstop active routing

(NSR):

user@switch> activate chassis redundancy graceful-switchoveruser@switch> activate routing-options nonstop-routing

12. Upgrade the loader software on the other member switch in the Virtual Chassis by

repeating Step 7 through Step 9.

Downgrading to Junos OS Release 10.4R2 or Earlier

When you downgrade to a Junos OS Release 10.4R2 or earlier, which are releases that

do not support resilient dual-root partitions, the downgrade process automatically:

• Reformats the disk from four partitions to three partitions during the reboot of the

switch that completes the Junos OS downgrade. The reformat causes a one-time

increase in reboot time of 10 to 25 additional minutes per Routing Engine for EX8200

switches and 5 to 10 additional minutes for other switches.

• Disables theboot-sequencing functionof the loadersoftware.With theboot-sequencing

function disabled, the loader software behaves as it did before resilient dual-root

partitions were introduced. The loader software itself is not downgraded—there is no

need to downgrade it.

To downgrade to Release 10.4R2 or earlier:

1. Use the request system snapshot command to save your data files to external media

before you perform the downgrade.



NOTE: Files in the /config directory are saved and restored during the

downgrade process. However, files in the /var directory, such as log files

and user /home directories, are not saved. In addition, a power failure

during the reboot could cause the configuration files to be lost.

2. Install Junos OS.

Downgrading to an Earlier Junos OS Release

CAUTION: Beforeyoubegin thesoftwaredowngradeonyourEXSeriesswitch,youmust verify theminimum Junos OS release supported on the switch andthe components installed in the switch. Do not downgrade the software ona switch to a release prior to the first Junos OS release that the switch or acomponent is supported in.

To verify the first Junos OS release supported on your switch, see:

• EX2200 Switch Models





• Line Card Model and Version Compatibility in an EX8200 Switch

Upgrading EX Series Switches Using NSSU

Youcanusenonstopsoftwareupgrade(NSSU)toupgrade JunosOSreleasesonEX8200

standalone switches and EX8200Virtual Chassis. For instructions on how to perform an

upgrade using NSSU, see Upgrading Software on an EX8200 Standalone Switch Using

Nonstop Software Upgrade (CLI Procedure) or Upgrading Software on an EX8200 Virtual

Chassis Using Nonstop Software Upgrade (CLI Procedure).

Table 2 on page 47 details NSSU support per Junos OS release and provides pointers to

any known issues for particular upgrade scenarios.



http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-upgrading-nssu-standalone-cli.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-upgrading-nssu-standalone-cli.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-upgrading-nssu-virtual-chassis-cli.html

http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/ex-series-software-upgrading-nssu-virtual-chassis-cli.html

Table 2: Using NSSU to Upgrade Junos OS on EX8200 Switches and EX8200 Virtual Chassis

Upgrade toRelease 11.4R1or Later




Upgrade toRelease 11.1R4

UpgradetoRelease10.4R4 orLater

UpgradefromReleasex.x

SwitchPlatform

Not supportedNot supportedNot supportedNot supportedNot supportedNotsupported

10.4R1 or10.4R2

EX8200standaloneswitch

SupportedSupportedSupportedSupportedSupportedSupported10.4R3 orlater

SupportedSupportedSupportedSupportedSupported–11.1R1 orlater

SupportedSupportedSupported–––11.2R1 orlater

SupportedSupported––––11.3R1 orlater

Supported–––––11.4R1

Not supportedNot supportedNot supportedNot supportedNot supportedNotsupported

10.4R1 orlater

EX8200VirtualChassis

Notrecommended

Notrecommended

Notrecommended

Notrecommended

Notrecommended

–11.1R1,11.1R2, or11.1R3

SupportedSupportedSupportedSupportedNotrecommended

–11.1R4

SupportedSupportedSupportedSupported––11.1R5 orlater

SupportedSupportedSupported--––11.2R1 orlater

SupportedSupported––––11.3R1 orlater

Supported–––––11.4R1 orlater

On an EX8200 Virtual Chassis, an NSSU operation can be performed only if you have

configured the XRE200 External Routing Engine member ID to be 8 or 9.



NOTE: Donotusenonstopsoftwareupgrade(NSSU)toupgradethesoftwareon an EX8200 switch from Junos OS Release 10.4 if you have configured theIGMP, MLD, or PIM protocols on the switch. If you attempt to use NSSU, yourswitchmight be left in a nonfunctional state fromwhich it is difficult torecover. If you have thesemulticast protocols configured, upgrade thesoftware on the EX8200 switch from Release 10.4 by following theinstructions in InstallingSoftwareonanEX8200SwitchwithRedundantRouting

Engines (CLI Procedure). This issue does not apply to upgrades from Release

11.1 or later.

NOTE: If you are using NSSU to upgrade the software on an EX8200 switchfrom Junos OS Release 10.4 or Release 11.1 and sFlow technology is enabled,disable sFlow technology before you perform the upgrade using NSSU. Afterthe upgrade is complete, you can reenable sFlow technology. If you do notdisable sFlow technology before you perform the upgradewith NSSU, sFlowtechnology will not work properly. This issue does not affect upgrades fromRelease 11.2 or later.

NOTE: If you are using NSSU to upgrade the software on an EX8200 switchfromJunosOSRelease 11.1 andNetBIOSsnooping isenabled,disableNetBIOSsnooping before you perform the upgrade using NSSU. After the upgrade iscomplete, youcan reenableNetBIOSsnooping. If youdonotdisableNetBIOSsnoopingbefore youperform theupgradewithNSSU,NetBIOSsnoopingwillnot work properly. This issue does not affect upgrades from Release 11.2 orlater.




on page 10





Switches on page 28



http://www.juniper.net/techpubs/en_US/junos10.4/topics/task/installation/ex-series-software-installing-single-routing-engine-cli.html

http://www.juniper.net/techpubs/en_US/junos10.4/topics/task/installation/ex-series-software-installing-single-routing-engine-cli.html

JunosOSReleaseNotesforMSeriesMultiserviceEdgeRouters,MXSeries3DUniversalEdge Routers, and T Series Core Routers

• New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series

Routers on page 49

• ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,MXSeries,

and T Series Routers on page 117

New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers

The Junos OS Release 11.4 documentation contains information about the following M

Series, MX Series, and T Series functionality that will not be available until a later release

of Junos OS Release 11.4:

• Class of Service on page 49

• High Availability on page 54

• Interfaces and Chassis on page 56

• Junos OS XML API and Scripting on page 73

• Layer 2 Ethernet Services on page 75

• MPLS Applications on page 75

• Network Management on page 79

• Routing Protocols on page 82

• Subscriber Access Management on page 83

• System Logging on page 109

• User Interface and Configuration on page 116

• VPNs on page 117

Class of Service

• Support for DSCP classification on customer edge links for CCC, TCC, and VPLS(MX Series routers with MPC/MIC interfaces)—Extends support for DSCP-basedbehavior aggregate (BA) classification for circuit cross-connect (CCC), translational

cross-connect (TCC), and virtual private LANservice (VPLS) onMXSeries routerswith

MPC/MIC interfaces.

DSCP-based services provide support for a uniform end-to-end quality-of-service

(QoS)model. By using the DSCP classifier, you can apply the QoS configuration for

the CCC, TCC, and VPLS families at the IP level. Therefore, you do not have to depend

on the underlying Layer 2 QoS support.

[Class of Service]

• Support for Layer 2 features on Channelized SONET/SDHOC3/STM1 (Multi-Rate)MICs with SFP (MX Series routers)—The following Layer 2 features are supported onthe Channelized SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP:


Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers

• Support for configuring interface MTU settings (range: 256–9192 bytes).

• Support for configuring High-Level Data Link Control (HDLC) payload scrambling.

• Support for crc-16 and crc-32 HDLC CRC checking modes.

• Support for configuring HDLC idle cycle flag. The default idle cycle transmit value is

is 0x7E.

• Support for the following encapsulations:

• cisco-hdlc—Cisco-compatible HDLC framing

• cisco-hdlc-ccc—Cisco-compatible HDLC framing for a circuit cross-connect

• cisco-hdlc-tcc—Cisco-compatibleHDLC framing for a translational cross-connect

• flexible-frame-relay—Multiple Frame Relay encapsulations

• frame-relay—Frame Relay encapsulation

• frame-relay-ccc—Frame Relay for a circuit cross-connect

• frame-relay-tcc—Frame Relay for a translational cross-connect

• frame-relay-ppp—Point-to-Point Protocol (PPP) over Frame Relay

• ppp—Serial Point-to-Point Protocol (PPP) device

• ppp-ccc—Serial PPP device for a circuit cross-connect

• ppp-tcc—Serial PPP device for a translational cross-connect

• MPLS circuit cross-connect

• MPLS translational cross-connect

• MPLS fast reroute

[Class of Service]

• Set IPv6 DSCP andMPLS EXP independently (M120 routers, M320 routers withEnhanced III FPCs, andMX Series routers)—On the M120, M320 with Enhanced IIIFPCs, and MX Series 3D Universal Edge Routers, you can set the packet DSCP and

MPLS EXP bits independently on IPv6 packets.

To enable this feature, include theprotocolmpls statement at the [edit class-of-service

interfaces interface-name unit logical-unit rewrite-rules dscp-ipv6 rule-name] hierarchy

level.

You can set DSCP IPv6 values only at the ingress MPLS node. This feature is not

supported on MPC/MIC interfaces.

[Class of Service]

• Unified command to display all QoS statistics (M Series, MX Series, and T Seriesrouters)—Two new options, detail and comprehensive, are added to the show



class-of-service interface interface-name command. These new options are added to

provideaunifiedoperational commandthatcombines theoutputofexistingcommands

and displays all quality-of-service (QoS) parameters and statistics for physical or

logical interfaces.

The output of the show class-of-service interface interface-name detail command is a

combination of output of the following commands:

• show interfaces brief

• show interfaces filters interface-name

• show interfaces policers interface-name

• show class-of-service interface interface-name

In the showclass-of-service interface interface-namedetail command, if interface-name

is a physical interface, the QoS information is displayed for the physical interface as

well as for the logical interfaceson thephysical interface—that is, the commands listed

above are executed first for the physical interface, and then for each of the logical

interfaces. If interface-name is a logical interface, the QoS information is displayed

only for the logical interface.

The output of the show class-of-service interface interface-name comprehensive

command is a combination of output of the following commands:

• show interfaces interface-name extensive

• show interfaces queue interface-name

• show interfaces filters interface-name

• show interfaces policiers interface-name

• show firewall filter filter-name

• show policer policer-name

• show class-of-service classifier name classifier-name

• show class-of-service translation-table name trans-table-name

• show class-of-service forwarding-class

• show class-of-service traffic-control-profile tcp-name

• show class-of-service scheduler-map scheduler-map-name

• show class-of-service drop-profile drop-profile-name

• show class-of-service rewrite-rule name rewrite-rule-name

• show class-of-service fragmentation-map fragmap-name

The show class-of-service interface interface-name comprehensive command displays

a specific constructonlywhen it is attached to the interface. For example, if a translation



table is not attached to an interface, it is not displayed. The constructs are listed if they

are configured on the interface, either explicitly or through default configuration.

NOTE:• The show class-of-service interface interface-name detail and show

class-of-service interface interface-namecomprehensivecommandoutput

are a combination of existing command output and no new field orfunctionality is added in the output.

• The show class-of-service interface interface-name detail and show

class-of-service interface interface-name comprehensive commands can

be usedmainly for debugging. If you do not specify interface

interface-name and want to see the output for many interfaces together

using these commands, theremight be some delay in displaying theoutput.

• The show class-of-service interface interface-name detail and show

class-of-service interface interface-name comprehensive commands do

notdisplay routing instancestatisticsand information related to interfacesets, ATM CoS, CoS-based forwarding, and interface rangematch.

• While displaying firewall QoS output, only classical, interface-specific,and Layer 2 policers–related information is displayed.

[Class of Service, System Basics, Network Interfaces]

• Support for rewrite rules and classifiers on Ethernet pseudowires (MX Seriesrouters)—Enablesyou toconfigure rewrite rulesandclassifiersonEthernetpseudowiresthat are configured on logical tunnel interfaces. This feature is supported onMPC/MIC

modules on MX Series routers.

You can use logical tunnel interfaces to create pseudowires by connecting two virtual

routing forwarding (VRF) instances. A pseudowire can be used to represent a single

subscriber (for example, a business subscriber).

To configure this feature, create a logical interface by including the lt-fpc/pic/port

statement at the [edit interfaces] hierarchy level or the [edit logical-systems

logical-system-name interfaces] hierarchy level. Youmust specify an Ethernet

encapsulation type and inet as the family.

To configure the CoS parameters, include the rewrite-rules and classifier statements

at the [edit class-of-service] hierarchy level. You can specify inet-precedence or dscp

as the rewrite rule or the classification type.

[Class of Service, Subscriber Access]

• Policer support for aggregated Ethernet and SONET bundles (M120, M10i, M7i(CFEB-E only), M320 (SFPC only), MX240, MX480, andMX960 (DPConly)) Aggregated interfaces support single-ratepolicers, three-colormarkingpolicers,two-rate three-color marking policers, hierarchical policers, and percentage-based

policers. By default, policer bandwidth and burst size applied on aggregated bundles

are not matched to the user-configured bandwidth and burst size.



Youcanconfigure interface-specific policers appliedonanaggregatedEthernetbundle

or an aggregated SONET bundle to match the effective bandwidth and burst size to

user-configured values. The shared-bandwidth-policer statement is required toachieve

this match behavior.

This capability applies toall interface-specificpolicersof the following types: single-rate

policers, single-rate three-colormarkingpolicers, two-rate three-colormarkingpolicers,

and hierarchical policers. Percentage-based policers match the bandwidth to the

user-configured values by default, and do not require shared-bandwidth-policer

configuration. The shared-bandwidth-policer statement causes a split in burst size for

percentage-based policers.

To configure this feature, include the shared-bandwidth-policer statement at the [edit

firewall policer policer-name], [edit firewall three-color-policer policer-name], or [edit

firewall hierarchical-policer policer-name] hierarchy levels.

[Class of Service]

• Configurable IEEE 802.1p inheritance support for push and swap from hidden tag(MXSeries routers)—Configurable IEEE802.1p inheritanceofpushandswapbits fromthe hidden tag of each incoming packet allows you to classify incoming packets based

on the IEEE 802.1p bits from the hidden tag.

You can configure inheritance of IEEE 802.1p bits from the hidden tag by including the

swap-by-poppush statement at the [edit interfaces interface-name unit

logical-unit-number]hierarchy level. To configure the classificationof incomingpackets

based on the IEEE 802.1p bits from the hidden tag, include the hidden statement at

the [edit class-of-service interfaces interface-name unit logical-unit-number classifiers

ieee-802.1 vlan-tag] hierarchy level.

This feature is supported on MX Series routers with DPCs, Enhanced DPCs, and

Enhanced Queuing DPCs.

[Class of Service, Ethernet Interfaces]

• Queuing support for logical tunnel interfaces (MX Series routers with MPC/MICinterfaces)—YoucanconfigureCoSschedulingparametersona logical tunnel interface.This configuration can be used to manage traffic entering a pseudowire. You can

configure the CoS scheduling and queuing parameters at the physical interface or the

logical interface level. To do this, configure a hierarchical scheduler on the physical

interface.

[Class of Service]

• DSCP rewrite enabled on T640 and T1600 routers—DSCP rewrite is supported forthe 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP).

NOTE: This PIC is referred to as the 10-port 10-Gigabit OversubscribedEthernet PIC or 10-port 10-Gigabit OSE PIC in some softwaredocumentation.



[Class of Service, T640 PIC Guide, T1600 PIC Guide]

• Extends support for Layer 2 policers onMX Series routers with MPC/MICinterfaces—Youcannowconfigure Layer 2policers for the ingressandegress interfaces

on MX Series routers with MPC/MIC interfaces. Policer types include: single-rate

two-color, single-rate three-color (color-blind and color-aware), and two-rate

three-color (color-blind and color-aware). To configure Layer 2 policing, include the

policer at the [edit firewall] hierarchy level.

[Class of Service, Policy, Network Interfaces]

High Availability

• Nonstop active routing support for RSVPOAM and BFD over RSVP—Starting withRelease 11.4, Junos OS extends the nonstop active routing support to the RSVP

Operation, Administration, and Maintenance (OAM) feature. Nonstop active routing

support for RSVP OAM ensures that the OAM state information is maintained across

the switchover. Nonstop active routing support for RSVP OAM also enables the BFD

sessions over RSVP LSPs to preserve the state information across the switchover, and

to come back online after the switchover.

However, nonstop active routing support for RSVP OAM does not include

point-to-multipoint LSPs, logical systems, and bypass and detour LSPs.

[High Availability]

• Supportforunified in-servicesoftwareupgrade(T640andT1600Routers)—Supportsunified in-service software upgrade (unified ISSU) on T640 and T1600 routers with

10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP). Unified ISSU is a

process to upgrade the system software with minimal disruption of transit traffic and

no disruption on the control plane. In this process, the new system software version

must be higher than the previous system software version. When unified ISSU

completes, the new system software state is identical to that of the system software

when the systemupgrade is performed by powering off the systemand then powering

it back on.

[High Availability]

• Support for unified in-service software upgrade (MX Series routers with FPC2 andFPC3)—Supports unified in-service software upgrade (unified ISSU) on MX Seriesrouters with FPC2 and FPC3.

The following Physical Interface Cards (PICs) on MX-FPC2 and MX-FPC3 support

unified ISSU:

MX-FPC2

• SONET/SDHOC48/STM16 (Multi-Rate) PIC with SFP (PB-1OC48-SON-B-SFP)

• SONET/SDHOC48c/STM16 with SFP (PB-1OC48-SON-SFP)

• SONET/SDHOC3c/STM1 (Multi-Rate) PIC with SFP (PB-4OC3-1OC12-SON2-SFP)



• SONET/SDHOC12/STM4 (Multi-Rate) PIC with SFP (PB-4OC3-4OC12-SON-SFP)

• Channelized OC48/STM16 Enhanced IQ (IQE) PIC with SFP

(PB-1CHOC48-STM16-IQE-SFP)

MX-FPC3

• SONET/SDHOC192c/STM64 PIC (PC-1OC192-SON-VSR)

• SONET/SDHOC192c/STM64 PIC with XFP (PC-1OC192-SON-XFP)

• SONET/SDHOC48/STM16 PIC with SFP (PC-4OC48-SON-SFP)

Unified ISSU is a process to upgrade the system software with minimal disruption of

transit traffic and no disruption on the control plane. In this process, the new system

software version must be higher than the previous system software version. When

unified ISSUcompletes, thenewsystemsoftware state is identical to thatof the system

software when the system upgrade is performed by powering off the system and then

powering it back on.

[High Availability]

• Layer2bridgingsupport forMXSeriesVirtualChassis (MX240,MX480,andMX960routers with MPC/MIC interfaces)—Supports the following Layer 2 bridging featuresand applications in an MX Series Virtual Chassis configuration:

• Bridged interface configuration

• Bridge domain configuration

• Media access control (MAC) flooding and learning

• Integrated routing and bridging (IRB)

• Virtual private LAN service (VPLS)

• Redundant pseudowires for Layer 2 circuits and VPLS

Configuration of these Layer 2 bridging features works the same way for member

routers in anMXSeries Virtual Chassis as it does for standaloneMXSeries routers that

are not part of a Virtual Chassis.

[High Availability, Layer 2]

• Support forunified in-servicesoftwareupgrade(T640andT1600RouterswithType3 PICs)—Junos OS Release 11.4 supports unified in-service software upgrade (unifiedISSU)onT640andT1600routerswith4-portChannelizedSONET/SDHOC48/STM16

Enhanced IQ (IQE) PIC with SFP (PC-4OC48-STM16-IQE-SFP).

Unified ISSU is a process to upgrade the system software with minimal disruption of

transit traffic and no disruption on the control plane. In this process, the new system

software version must be higher than the previous system software version. When

unified ISSUcompletes, thenewsystemsoftware state is identical to thatof the system

software when the system upgrade is performed by powering off the system and then

powering it back on.



[High Availability]

• Unified ISSU support for statistics preservation onMPC/MIC interfaces (MX Series3DUniversalEdgeRouters)—Enables support for thepreservationof interface-specificand firewall filter statistics across a unified in-service software upgrade (unified ISSU)

on an MX Series router with MPC/MIC interfaces. This support ensures that the router

maintains statistics data across the unified ISSU and that statistics counters are

operational after the unified ISSU completes.

To preserve statistics across a unified ISSU, the router stores the statistics data as

binary large objects. The router collects the statistics before the unified ISSU is

initialized, and restores the statistics after the unified ISSU completes. No statistics

are collected during the unified ISSU process.

To verify that statistics are preserved across the unified ISSU, you can issue existing

CLI operational commands such as show interfaces statistics after the unified ISSU

completes.

For a list of the MPCs andMICs that are supported during a unified ISSU onMX Series

3D Universal Edge Routers, see the Junos OS High Availability Configuration Guide.

[High Availability, Subscriber Access]

Interfaces and Chassis

• Internet Key Exchange version 2 (IKEv2)—Starting with Junos OS Release 11.4, bothIKEv1 and IKEv2are supportedbydefault onallMSeries,MXSeries, andTSeries routers.

The version statement under the [edit services ipsec-vpn ike policy name] hierarchy

allows you to configure the specific IKE version to be supported. However, if only IKEv1

is supported, Junos OS rejects IKEv2 negotiations. Similarly, if only IKEv2 is supported,

Junos OS rejects all IKEv1 negotiations.

The keymanagement process (kmd) daemon determineswhich version of IKE is used

in a negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the

configured version for negotiations. If kmd is the IKE responder, it accepts connections

from both IKEv1 and IKEv2.

[Services Interfaces]

• Support for FrameRelayDE loss prioritymapping (M120 routers,M320 routerswithEnhanced III FPC,M7i andM10i routerswith EnhancedCompact Forwarding EngineBoard, andMX Series routers)—Enables you to define a loss priority map based ontheFrameRelaydiscardeligibility (DE)bit. To configure theFrameRelayDE losspriority

mapping, include the loss-priorityandcode-pointstatementsat the [editclass-of-service

loss-priority-maps frame-relay-de] hierarchy level. For eachmapping, the loss priority

can be high, low,medium-high, or low. The value of the code point can be 0 or 1.

The mapping does not take effect until you apply it to a logical interface. To apply a

map to a logical interface, include the frame-relay-demap-name statement at the [edit

class-of-service interfaces interface-name unit logical-unit-number loss-priority-maps]

hierarchy level:

[edit class-of-service interfaces interface-name unit logical-unit-numberloss-priority-maps]

frame-relay-demap-name;



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-high-availability/config-guide-high-availability.pdf


• Support for Frame Relay DE bit rewriting on Enhanced IQ PICs (M7i, M10i, M40e,M120, M320, MX Series, and T Series routers)—Enables you to rewrite the FrameRelay discard eligibility (DE) bit by including the frame-relay-de statement at the [edit

class-of-service loss-priority-rewrites]hierarchy level. For eachmapping, the losspriority

can be high, low,medium-high, or low. The value of the code point can be 0 or 1.

The Frame Relay DE bit rewrite does not take effect until you apply it to a logical

interface. To apply the Frame Relay DE bit rewrite to the logical interface, include the

frame-relay-demap-name statement at the [edit class-of-service interfaces

interface-name unit logical-unit-number loss-priority-rewrites] hierarchy level:

[edit class-of-service interfaces interface-name unit logical-unit-numberloss-priority-rewrites]

frame-relay-demap-name;


• Support for carrying DE, FECN, and BECN bit information in Layer 2 VPN and Layer2 circuit control word (M120, M320, MX Series, and T Series routers)—Providesadditional class-of-service (CoS) support for Frame Relay services over MPLS using

Layer 2 virtual private networks (VPNs) and Layer 2 circuits.When you perform control

wordclassificationand rewrite, thediscardeligibility (DE)bit, forwardexplicit congestion

notification (FECN) bit, and backward explicit congestion notification (BECN) bit in

the incomingFrameRelaypacket for thecircuit cross-connect (CCC) familyaremapped

to the Layer 2 circuit control word across theMPLS backbone. To enable thismapping,

include the translate-discard-eligible and translate-fecn-and-becn statements at the

[edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level.

You can classify and rewrite the control word DE bit based on the packet loss priority

(PLP) by using the translate-plp-control-word-de statement at the [edit interfaces

interface-name unit logical-unit-number family ccc] hierarchy level. When you configure

the translate-plp-control-word-de statement on the ingress PE router, the DE bit in the

control word is rewritten based on the PLP. When you configure the

translate-plp-control-word-de statement on the egress PE router, the PLP is derived

based on the control word DE bit and the DE bit in the outgoing Frame Relay header

is rewritten based on the PLP. By default, control word classification and rewrite is

disabled. Themapping of the PLP to the DE bit in the control word and the outgoing

Frame Relay packet is fixed. For rewriting, the PLP values low andmedium-low are

mapped to the DE bit 0 and the PLP values high andmedium-high are mapped to the

DE bit 1. For classifying, the DE bit 0 is mapped to the PLP value low and the DE bit 1 is

mapped to the PLP value high.

To enable control word classification and rewrite, include the following statements at

the [edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level:

[edit interfaces interface-name unit logical-unit-number ]{encapsulation frame-relay-ccc;point-to-point;

dlci dlci-number;family ccc {translate-discard-eligible;



translate-fecn-and-becn;translate-plp-control-word-de;

}}

NOTE: The translate-discard-eligible and translate-plp-control-word-de

statements aremutually exclusive—that is, you can configure only one ofthese statements.

[Network Interfaces]

• Extends support for the Two-Way Active Measurement Protocol (TWAMP) onMXSeries routerswithMPC/MIC interfaces—You can nowconfigure TWAMP(RFC5357)

onMXSeries routerswithMPC/MIC interfaces. ToconfigureTWAMPproperties, include

the twamp statement at the [edit services rpm] hierarchy level. In previous Junos OS

releases, this feature was supported on M Series and T Series routers that support

MultiservicesPICs (running ineither Layer 2or Layer 3mode), andonMXSeries routers.


• Connecting the JCS1200 Platform to a TXMatrix Plus Router now supported.

Both RSD (root system domain) and PSD (protected system domain) are now

supported on TXMatrix Plus routers.

To configure multi-chassis PSD, include the lcc number fpcs number statement at the

[edit chassis system-domainsprotectedsystemdomains ]hierarchy level. Up to 12 FPCs

can be configured for a PSD.

show chassis psd is now also supported on TXMatrix Plus routers.

[Protected System Domain, System Basics, JCS1200 Control System Hardware Guide,

TXMatrix Plus Hardware Guide ]

• Connecting the JCS1200 platform to a TXMatrix Plus Router now supported—BothRSD (root system domain) and PSD (protected system domain) are now supported

on TXMatrix Plus routers.

A Protected System Domain (PSD) system consists of a redundant Routing Engine

pair (or single Routing Engine) on the JCS1200 platform, matched with one or more

Flexible PIC Concentrators (FPCs) on a T Series router. You can now connect a TX

Matrix Plus router to the JCS1200 platform to function as a PSD. To configure

multi-chassis PSD, include the lcc number fpcs number statement at the [edit chassis

system-domains protected system domains ] hierarchy level. Up to 12 FPCs can be

configured for a PSD.

show chassis psd is now also supported on TXMatrix Plus routers.

[ProtectedSystemDomain,SystemBasics, JCS1200Control SystemHardware,TXMatrix

Plus Hardware Guide ]

• Support for 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) on T1600 and T640routers—The 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) is a 1-port 40-GigabitEthernet Type 4 PIC with C form-factor pluggable (CFP) optics supported on T1600



and T640 routers. The 40-Gigabit Ethernet PIC with CFP occupies FPC slot 0 or 1 in

the Type 4 FPC. It shares certain common features, such as flexible encapsulation and

MAC accounting, with the 4-port 10-Gigabit Ethernet LAN/WAN PIC with XFP (model

number PD-4XGE-XFP).

[Network Interfaces, InterfacesCommandReference,T640PICGuide,T1600PICGuide]

• Support for channelized SONET/SDHOC3/STM1 (Multi-Rate) MICwith SFP (MXSeries routers)—Enables support for SONET/SDH and PDH interfaces on MX Seriesrouters. There are two types of SONET/SDHOC3/STM1 (Multi-Rate) MICs with

SFP—the 8-port Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFP

(modelnumber:MIC-3D-8CHOC3-4CHOC12),andthe4-portChannelizedSONET/SDH

OC3/STM1 (Multi-Rate) MIC with SFP (model number: MIC-3D-4CHOC3-2CHOC12).

TheseMICs support POS/PDH interfaces on theMX803DUniversal Edge Routers and

other MX Series routers using the MX-MPC1-3D-Q, MX-MPC2-3D-Q, and

MX-MPC2-3D-EQMPCs to position a single device to meet multiservice edge

requirements. These MICs provide the following basic functions:

• SONET/SDH/PDH framing

• Preclassification

NOTE: CoS support is not directly available on these MICs. CoS functionsare completely implemented in thePacket Forwarding Engine. TheseMICsonly preclassify the packets.

The following features are supported on the Channelized SONET/SDHOC3/STM1

(Multi-Rate) MICs with SFP:

• Default framing on all ports is SONET.

• The MIC supports SONET and SDH framingmode on a per-port basis. To enable

SONET or SDH framing, you need to set the framing statement at the [chassis fpc

MPC-slot-number picMIC-slot-number port port-number] hierarchy level.

• TheMICsupportschannelizedOC3/STM1andchannelizedOC12/STM4configuration

on a per-port basis. You can set the speed of the port by configuring the speed

statementat the [chassis fpcMPC-slot-numberpicMIC-slot-numberportport-number]

hierarchy level.

• By default, the speed of a port is set to OC3/STM1. You can use the show interface

extensive operational mode command to view the speed of an interface.

• The MIC supports remote and local loopback. Loopbacks can be configured

independently on each port.

• Simultaneous T3 and E3 interfaces can exist on the cau4 controller-level interface.

• Simultaneous T1 and E1 interfaces can exist on the cau4 controller-level interface.



NOTE:• The Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFPdoes not support aggregate SONET (link bundling).

• The Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFPdoes not support container interfaces.

• When a port is configured as channelized OC12, only six of the twelveOC1 slices canbedeep-channelized fromT1 throughDS0.The remainingsix OC1 slices can be channelized only to T3 or can be combined to formtwo OC3 slices. They cannot be channelized to T1 or DS0.

[Channelized Interfaces, SONET/SDH Interfaces, Class of Service, System Basics]

• Support for DS3/E3MIC (MX Series routers)—Enables support for PDH interfaceson the MX80 3D Universal Edge Router and other MX Series routers using the

MX-MPC1-3D-Q, MX-MPC2-3D-Q, and MX-MPC2-3D-EQMPCs to position a single

device to meet multiservice edge requirements. You can configure the DS3/E3 MIC

(model number: MIC-3D-8DS3-E3) to function either in clear-channel mode or in

channelizedmode. When functioning in channelizedmode, the DS3/E3 MIC supports

PDH interfaces on theMX80 3DUniversal Edge Router andMX Series routers that use

MX-MPC1-3D-Q, MX-MPC2-3D-Q, or MX-MPC2-3D-EQ. When functioning in

clear-channel mode, this MIC also supports PDH interfaces on the MX-MPC1-3D and

MX-MPC2-3DMPCs.

The DS3/E3 MIC provides the following basic functions:

• PDH framing

• Preclassification

NOTE: CoS support is not directly available on this MIC. CoS functions arecompletely implemented in the Packet Forwarding Engine. The MIC onlypreclassifies the packets.

By default, the DS3/E3 MIC functions in clear-channel mode. To enable the DS3/E3

MIC to function in channelizedmode, you need to use the software license

S-MIC-3D-8CHDS3. To enable channelization, set the channelization option at the

[chassis fpcMPC-slot-number picMIC-slot-number] hierarchy level. You can use the

channelization option to channelize individual DS3 interfaces.



NOTE:• You can configure the channelization option to enable channelization for

the DS3/E3MICs only. Moreover, you can use the channelization option

only on MX Series routers with Queuing and Enhanced Queuing MPCs(MX-MPC1-3D-Q, MX-MPC2-3D-Q, andMX-MPC2-3D-EQ) or on MX80routers. Configuring the channelization option on other MPCs does not

have any effect. The MIC continues to operate in clear-channel mode.

• Only clear-channel E3mode is supportedon theDS3/E3MIC. Therefore,configuring thechannelizationoptiondoesnot impact theE3functionality.

You can enable DS3 or E3 framingmode on individual ports of the DS3/E3 MIC. To do

this, set the framing statementat the [chassis fpcMPC-slot-numberpicMIC-slot-number

port port-number] hierarchy level. By default, DS3mode is enabled.

NOTE: The DS3/E3MIC does not support E3 subrate and scrambling.

[Channelized Interfaces, Class of Service, System Basics]

• EnhancedMX Switch Control Board (MX960, MX480, andMX240 routers)—TheEnhanced MX SCB uses an XF chip that provides more than 120 Gbps per slot of

bandwidth with redundancy. This SCB is supported on MX960, MX480, and MX240

routers, and consists of the following components:

• XF chip—Facilitates fabric planes

• 3 Gbps and 6 Gbps HSL2 link speed

• Front panel clock interface for future clocking support

• Frontpanel small form-factorpluggable (SFP) transceiversorSFP+externalEthernet

switch interface for future support

[MX960 3D Universal Edge Router Hardware Guide,MX480 3D Universal Edge Router

Hardware Guide,MX240 3D Universal Edge Router Hardware Guide]

• CommandoutputchangesforEnhancedMXSwitchControlBoard(MX960,MX480,andMX240 routers)—The Enhanced MX Switch Control Board (SCB) caters to thecarrier Ethernet services router and carrier Ethernet transport markets that require

higher-capacity traffic support demanding greater interface density (slot and capacity

scale), as well as improved services.

Startingwith Release 11.4, Junos OS supports the EnhancedMXSCB, thereby resulting

in the following command output changes:



• show chassis environment command displays CBN SF A and CBN SF B for the

temperatures of the existing SF ASICs . For the Enhanced MX SCB, the temperature

sensor is still present, but it nowmeasures the temperature of the XF ASIC. The

display output now shows CBNXF A and CBNXF B.

• show environment cb command now includes information about new Power

Management BUS (PMBus) devices on the board, including measured voltage,

measured current, and calculated power.

• show chassis hardware command shows the new part number 750-031391, and the

description is EnhancedMX SCB.

• show chassis hardwaremodels command shows the newmodel SCBE-MX-S.

• show chassis hardware extensive command shows the new assembly ID 0x09b0.

• The output of the following commands shows amaximum of four active planes for

the Enhanced MX SCB on MX Series routers with MPCs.

• show chassis fabric summary

• show chassis fabric fpc

• show chassis fabric plane

[System Basics]

• Physical interface policers onMXSeries routerswithMPC/MIC interfaces—Physicalinterface policers are now available on the Trio chipset.

[Policy]

• Support for FIB Localization—In Junos OS Release 11.4 and later, you can configureFIB localization for a Packet Forwarding Engine. FIB localization characterizes Packet

Forwarding Engines in a router as either “FIB-Remote” or “FIB-Local”. FIB-Local Packet

Forwarding Engines install all routes from the default inet and inet6 route tables into

the Packet Forwarding Engine forwarding hardware. By default, FIB-Remote Packet

Forwarding Engines do not install routes for these tables. Instead, FIB-Remote Packet

Forwarding Engines create a default (0/0) route in the Packet Forwarding Engine

forwarding hardware for the inet and inet6 table. The default route references a next

hop or a unilist of next hops that indicate the FIB-Local Packet Forwarding Engines

that can perform full IP table lookups for received packets.

When FIB localization is configured on a router with some FPCs being FIB-Remote and

some others being FIB-Local, packets arriving on the interface of the FIB-Remote FPC

are forwarded to one of the FIB-Local FPCs for route lookup and forwarding.

Theadvantageof configuring FIB localization is that it enables upgrading the hardware

forwarding table capacity of FIB-Local Packet Forwarding Engines while not requiring

upgrades to the FIB-Remote Packet Forwarding Engines. In a typical network

deployment, FIB-Local Packet Forwarding Engines are core-facing while FIB-Remote

Packet Forwarding Engines are edge-facing. The FIB-Remote Packet Forwarding

Enginesalso load-balance traffic over theavailable set of FIB-LocalPacket Forwarding

Engines.



To configure FIB localization, for IPv4 or IPv6 traffic, include the route-localization

statement at the [edit chassis] hierarchy level. To configure the Packet Forwarding

Engine of an FPC as either FIB-Local or FIB-Remote, include the fib-local or fib-remote

statement at the [edit chassis fpc fpc-number route-localization] hierarchy level. To

configure a routing policy to enable the forwarding table policy to mark route prefixes

for installation in the forwarding hardware on the FIB-Remote Packet Forwarding

Engines, include the no-route-localize statement at the [edit policy-options

policy-statement policy-name term term-name then] hierachy level.

To verify route localization information, issue the show route localization or the show

route localization detail commands.

[System Basics, Policy]

• JunosOS64-bitmigrationon theT1600Router—Unified in-service softwareupgrade(unified ISSU) is not supported when upgrading from 32-bit Junos OS to 64-bit Junos

OS because GRES and NSR features need to be disabled during the upgrade. Mixing

32-bit Junos OS and 64-bit Junos OS is not supported except for a small window of

time during the upgrade process.

• Support for IGMP snooping over MPCs (MX Series routers with MPCs)—Junos OSRelease 11.4 supports the configuration of IGMP snooping over MPCs. For information

abouthowtoconfigure IGMPsnooping, see the JunosOSMulticastProtocolsConfiguration

Guide.

[MX Series 3D Universal Edge Router Line Card Guide]

• Passive flowmonitoring support on ES-FPCs (T640 and T1600 routers)—Passivemonitoringenables you toperform lawful interceptofpackets that traverseanEthernet

link between routers or switches. Passivemonitoring support is now extended for IPv4

and IPv6 to the following PICs for the T640 and T1600 routers:

• Gigabit Ethernet PIC with SFP

• 10-Gigabit Ethernet PIC with XENPAK (T1600 router)

• SONET/SDHOC192/STM64 PIC (T1600 router)

• SONET/SDHOC192/STM64 PICs with XFP (T1600 router)

• SONET/SDHOC48c/STM16 PIC with SFP (T1600 router)

• SONET/SDHOC48/STM16 (Multi-Rate)

• SONET/SDHOC12/STM4 (Multi-Rate) PIC with SFP

• Type 1 SONET/SDHOC3/STM1 (Multi-Rate) PIC with SFP

IPv6 passive monitoring is not supported on Monitoring Services PICs. Youmust

configure port mirroring to forward the packets from the passive monitored ports to

other interfaces. To configure port mirroring, include the port-mirroring statement at

the [edit forwarding-options] hierarchy level.

Configuring the interface in passive monitoring mode automatically configures it in

promiscuousmode.Toconfigurepassivemonitoring, include thepassive-monitor-mode



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-multicast/config-guide-multicast.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-multicast/config-guide-multicast.pdf

statement at the [edit interfaces interface-name] hierarchy level. Gigabit Ethernet

interfaces in passive monitoring mode do not support the stacked-vlan-tagging

statement.

To remove MPLS labels, include the pop-all-labels statement at the [edit interfaces

interface-name gigether-optionsmpls] hierarchy level.

[Services Interfaces, Network Interfaces]

• Layer 2 interface statistics enhancement—On Dense Port Concentrators (DPCs) onMX Series routers, when a bridge domain is configured with an integrated routing and

bridging (IRB) interface, packets that are routed by the IRB interface and transmitted

out through a Layer 2 interface that is part of the bridge domain are now accounted

for in the corresponding Layer 2 interface statistics. Prior to Junos OS Release 11.4, the

Layer 2 interface statistics did not account for those packets that were routed by an

IRB. The show interfaces irb extensive command displays the IRB-related statistics,

while the show interfaces statistics interface-name command displays the layer 2

interface level statistics.

[Interfaces Command Reference]

• Display pseudowire Layer 2 policing statistics (MX Series routers with MPCs/MICsor enhanced DPCs)—The Junos OS routing engine, kernel, and Packet ForwardingEngine can collect the statistics for a pseudowire policer from all Packet Forwarding

Engines and display them on the Routing Engine. These statistics are displayed when

you execute the show interfaces command, if a pseudowire policer is enabled.

This feature is available for pseudowire logical interfaces at egress.

[MX Solutions Guide]

• Support for 64-bit Junos OS on T640 and TXMatrix Plus routers—Enables you torun 64-bit Junos OS on T640 and TXMatrix Plus routers. This feature also allows you

to migrate from the existing 32-bit Junos OS, without any loss of features. However,

64-bit capable Routing Engines are required for upgrading to 64-bit Junos OS. The

64-bit version of Junos OS supports:

• Physical memory of more than 4 GB.

• Increased virtual address space for applications.

The following features are not supported by 64-bit Junos OS:

• Different versions of Junos OS running in separate Routing Engines. Both Routing

Engines must have either 32-bit or 64-bit Junos OS in a single physical or virtual

chassis.

• Upgrade, without downtime, from 32-bit to 64-bit Junos OS using unified in-service

software upgrade (unified ISSU).

In Junos OS Release 11.4, no new CLI commands or alarms are introduced for this

feature.

[System Basics and Services Command Reference, Interfaces Command Reference,

Software Installation and Upgrade]



• Limiting blackhole time by detecting Packet Forwarding Engine destinations thatare unreachable over the fabric (T640 and T1600 routers)—Enables the T640 andT1600 routers to limit blackhole time by detecting unreachable destination Packet

Forwarding Engines. The router signals neighboring routerswhen it cannot carry traffic

because of the inability of some or all source Packet Forwarding Engines to forward

traffic to some or all destination Packet Forwarding Engines on any fabric plane, after

interfaces have been created. This inability to forward traffic results in blackholing of

traffic by the system.

Packet Forwarding Engine destinations can become unreachable because of the

following reasons:

• The fabric Switch Interface Boards (SIBs) go offline as a result of a CLI command

or a pressed physical button.

• The fabric SIBs are turned offline by the Switch ProcessorMezzanine Board (SPMB)

because of high temperature.

• Voltage or polled I/O errors in the SIBs detected by the SPMB.

• All Packet Forwarding Engines get destination errors on all planes from remote

Packet Forwarding Engines, even when the SIBs are online.

• Complete fabric loss caused by destination timeouts, evenwhen theSIBs are online.

When the systemdetectsunreachablePacket ForwardingEnginedestinations, healing

from blackholing is attempted. If the healing fails, the system turns off the interfaces,

thereby stopping the blackholing.

The recovery process consists of the following steps:

1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one

by one.

2. Fabric plane and FPC restart phase: Healing is attempted by restarting both the

fabric planes and the FPCs. If there are bad FPCs that are unable to initiate

high-speed links to the fabric after reboot, blackholing is limited because no

interfaces are created for these FPCs.

3. FPC offline phase: Blackholing is limited by turning the FPCs offline and by turning

off interfaces because previous attempts at recovery have failed.

By default, the system limits blackhole time by detecting severely degraded fabric.

You do not need to configure anything to enable this feature. However, you can limit

recovery actions to fabric plane restart only. You need to fix the blackholing by

performing steps 2 and 3manually.

In JunosOSRelease 11.4, newalarms are added to indicatewhich FPCs are blackholing

traffic in the system and to provide information about FPCs that are turned offline to

stop the blackholing in the recovery process.

In JunosOSRelease 11.4, newerrormessagesareadded to indicatewhetherblackholing

is detected by unreachable FPCs in the system, or the blackholing is due to all planes

being offline. These messages also indicate the actions taken on FPCs and planes to



stop the blackholing—for example, FPC online, FPC offline , FPC restart, FPC power

off, plane online, and plane offline.

In Junos OS Release 11.4, two new CLI commands are introduced for this feature:

• The show chassis fabric unreachable-destinations command shows the list of

destinations that have changed from reachable to unreachable.

• The show chassis fabric reachability command shows the current state of fabric

destination reachability, based on periodic reachability checks.

[System Basics and Services Command Reference, System Log Messages Reference]

• Microcode remap (M320 andM120 routers)—M320 routers with E3 type-1 FPCs andM120 routers with a single type-1 FPCmapped to an FEB support a newmicrocode

map to resolve microcode overflow resulting in bad PIC combinations.

OnM320 routers, the newmicrocodemap is enabled by default and is the only option

available.

On M120 routers, you can enable the newmicrocodemap by using the

ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On

M120 routers, thedefaultmicrocodemapremainsconfigured if theucode-imem-remap

statement is not configured.

[edit chassis]febslot numberucode-imem-remap

{}

NOTE: OnM120 routers, the FEB is automatically restarted after theucode-imem-remap statement is configured and committed.

[System Basics, Network Interfaces]

• Support for ESMC or SSM quality-based clock selectionmode (MX Seriesrouters)—Enables you to decide whether clock source selection should use theconfigured or received Ethernet Synchronization Message Channel (ESMC) or

Synchronization Status Message (SSM) quality level for a qualifying interface.

If youconfigure the selection-mode statementas configured-qualityat the [edit chassis

synchronization] hierarchy level, then the clock source selection algorithm uses the

ESMC or SSM quality level configured for a qualifying interface.

If you configure the selection-mode statement as received-quality at the [edit chassis

synchronization] hierarchy level, then the clock source selection algorithm uses the

ESMC or SSM quality level received on the qualifying interface.

Inboth theselectionmodes, the interfacequalifies for clock sourceselectiononlywhen

the received ESMC or SSM quality level on the interface is equal to or better than the

configured ESMC or SSM quality level for the interface.



For the selection-mode statement configuration to take effect, youmust set the

quality-mode-enable statement at the [edit chassis synchronization] hierarchy level.

To configure the ESMC or SSM quality-based clock selection mode, include the

quality-mode-enable and selection-mode statements at the [edit chassis

synchronization] hierarchy level.

[System Basics, Junos OS Configuration Statements and Commands]

• Additional MPC support for SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP(MX Series routers)—There are two types of SONET/SDH (Multi-Rate) MICs withSFP—the8-port SONET/SDHOC3/STM1 (Multi-Rate)MICwith SFP,which offers high

port density, and the 4-port SONET/SDHOC3/STM1 (Multi-Rate)MICwith SFP,which

offers low port density. These MICs were introduced in Junos OS Release 11.2. Refer to

the Junos OS 11.2 release notes for more information.

In Junos OS Release 11.2, the 8-port and 4-port SONET/SDHOC3/STM1 (Multi-Rate)

MICs with SFP are supported on the following MPCs:

• 30-Gigabit Ethernet MPC (MX-MPC1-3D)

• 30-Gigabit Ethernet Queuing MPC (MX-MPC1-3D-Q)

In Junos OS Release 11.4, the support for 8-port and 4-port SONET/SDHOC3/STM1

(Multi-Rate) MICs with SFP has been extended to the following MPCs:

• 60-Gigabit Ethernet MPC (MX-MPC2-3D)

• 60-Gigabit Ethernet Queuing MPC (MX-MPC2-3D-Q)

• 60-Gigabit Ethernet Enhanced Queuing MPC (MX-MPC2-3D-EQ)


• Consortium Local Management Interface extended to Frame Relay protocol (MXSeries routers)—Extended Consortium Local Management Interface (C-LMI) support

for MX Series routers with specified MICs adds support for Consortium LMI based on

the "Gang of Four" or "Consortium" standard (Section 6).

The following MICs are supported:

• MIC-8OC3OC12-4OC48-SFP—8-port Clear-Channel OC3/OC12/STM-1/STM-4,

4-port Clear-Channel OC48/STM-16

• MIC-4OC3OC12-1OC48-SFP—4-portClear-ChannelOC3/OC12/STM-1/STM-4, 1-port

Clear-Channel OC48/STM-16

• MIC-3D-8CHOC3-4CHOC12-SFP—8-port Channelized OC3/STM-1, 4-port

Channelized OC12/STM-4

• MIC-3D-4CHOC3-2CHOC12-SFP—4-port Channelized OC3/STM-1, 2-port

Channelized OC12/STM-4

• MIC-3D-8DS3-E3—8-port Clear-Channel DS3/E3



The following are also supported:

• MX80

• MX-MPC1-3D—30 GB, per port queuing, 64 KB logical interfaces

• MX-MPC2-3D—60 GB, per port queuing, 64 KB logical interfaces

• MX-MPC1-3D-Q—30GB, enhanced queuing, 128 KB queues (max 64 KB egress), 32

KB logical interfaces

• MX-MPC2-3D-Q—60 GB, enhanced queuing, 256 KB queues (max 128 KB egress),

64 KB logical interfaces

To configure C-LMI, you can use the lmi-type statement with its c-lmi option at the

[edit interfaces interface lmi] hierarchy level.

The following encapsulation types are not supported:

• frame-relay-port-ccc

• extended-frame-relay-ether-type-tcc

• frame-relay-ether-type

• frame-relay-ether-type-tcc

[Channelized Interfaces, SONET/SDH Interfaces, E1/E3/T1/T3 Interfaces, Interfaces

Fundamentals]

• IPv6 support for the dynamic flow capture (DFC) application—Starting with JunosOS Release 11.4, support for intercepting IPv6 flows through the DFC application is

extended to M320 and T Series routers. IPv6 support is configured using the family

intet6 statement under the [edit interfaces dfc-identifier unit 1] hierarchy.


• Support for 802.1ag connectivity faultmanagement (CFM)monitoringwith serviceprotection(MXSeries routerswithMPC/MIC interfaces)—Extendssupport for serviceprotection functionality for Carrier Ethernet transport networks on MX Series routers

withMPC/MIC interfaces. Service protection can be achieved by configuring aworking

and protect transport path. These transport paths can bemonitored using the 802.1ag

CFM protocol.


• Support for chassis Enhanced Network Servicesmodes (MX Series routers withMPCs)—You can configure MX Series 3D Universal Edge Routers to run in differentnetwork servicesmodes. Eachnetwork servicesmodedefineshowthechassis identifies

and uses certain modules. Junos OS Release 11.4 supports the addition of Enhanced

IP Network Services mode and Enhanced Ethernet Network Services mode.

To configure the chassis for Enhanced Network Services modes, include the

network-services statement along with either the enhanced-ip or enhanced-ethernet

service option at the [edit chassis] hierarchy level.



When the chassis is configured for Enhanced IP Network Services mode, only MPCs

andMultiservices DPCs are powered on. When the chassis is configured for Enhanced

Ethernet Network Services mode, only MPCs and Multiservices DPCs are powered on

and all restrictions for operating in Ethernet Network Services mode apply. For

information about Ethernet Network Services restrictions, see “Restrictions on Junos

OS Features for MX Series Routers” in the Junos OS System Basics Configuration Guide.

NOTE: OnlyMultiservicesDPCsarepoweredonwiththeEnhancedNetworkServicesmodeoptions.NootherDPCsfunctionwith theEnhancedNetworkServicesmode options.

[System Basics]

• 6rd support for Anycast—Enables hosting of a 6rd domain onmultiple service PICsby assigning the same softwire rules to two service sets that use different service

interfaces. Only one PIC actively processes the 6rd traffic at any time. When the

currently active PIC goes down, the PIC hosting the same 6rd domain becomes active

and takes over the processing of 6rd traffic.

[Services Interfaces, Next-Generation Network Addressing]

• 6rdsupport forhairpinning—Enablespackets exitingone6rd softwire tobeprocessedby another softwire after twice NAT processing. This applies when a host behind a

softwire initiator tries to communicate with another host behind a softwire initiator.

[Services Interfaces, Next-Generation Network Addressing]

• DS-Lite support forAnycastand6PE(IPv6ProviderEdge)—Anycast enables hostingof a DS-Lite domain onmultiple service PICs by assigning the same softwire rule to

two service sets that use different service interfaces. Only one PIC actively processes

theDS-Lite traffic at any time.When thecurrently activePICgoesdown, thePIChosting

the same DS-Lite domain becomes active and takes over the processing of DS-Lite

traffic. Anycast provides these benefits:

• Service continuity and load-balancing.

• Simplified configuration—one interface address canbeusedbyoneormore softwire

initiators.

6PE is available for ISPs with MPLS-enabled networks. These networks now can use

MP-BGP to provide connectivity between the DS-Lite B4 and AFTR (or any 2 IPv6

nodes).DS-Liteproperlyhandlesencapsulationanddecapsulationdespite thepresence

of additional MPLS header information.

[Services Interfaces, Next-Generation Network Addressing Solutions]

• Support for interface level DHCP statistics (MX Series 3D Universal EdgeRouters)—DHCP local server statistics are nowmaintained per interface.The show

dhcp server statistics, show dhcpv6 server statistics, and clear dhcp server statistics

commands now display information about extended DHCP and DHCPv6 local server

statistics on the specified interface.

[System Basics Configuration Guide]



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-system-basics/config-guide-system-basics.pdf

• Support for connection protection optimization in CFM (MX Series routers)—Youcan now optimize connection protection in Carrier Ethernet networks using existing

continuity-checkmessage (CCM) functionality to help increase network reliability and

stability. EthernetConnectivity FaultManagement (CFM)monitorsend-to-endservices

by exchanging CCMs at a configurable periodic interval. Starting in Release 11.4, Junos

OS provides configuration support to trigger faster protection switching and faster

convergence using the interface-status type, length, and value (TLV) in CCM packets

when a failure condition is detected. Faster protection switching and convergence can

beusedwhencustomeredge (CE)devices in theEthernetdomaindetect faster service

failures and propagates the information in the interface-status TLV of the CCMs. Upon

receivingCCMs, theprovider edge(PE)devicescanconfigurecertainactions to facilitate

faster protection-switching and convergence. The features supported include:

• Configuring faster protection-switching and faster convergence using an action

profile with the action and clear-action statements.

• Configuring a primary virtual LAN (VLAN) ID using the primary-vid statement.

• ExtendingMEP functionality toacceptadifferentmaintenanceassociation identifier

(ID) from a neighbor by using the remote-maintenance-association statement.


• SynchronousEthernetsupport for 10-GigabitEthernetMICs inLANmode(MXSeriesrouters)—Junos OS Release 11.4 extends Synchronous Ethernet functionality on the10-Gigabit Ethernet MICs by providing support while operating in LAN framingmode.

In LANmode, the LAN frequency is directly fed by theMIC's on-board clocking circuitry.

To enable synchronous Ethernet on the 10-Gigabit Ethernet MICs, youmust enable

LAN framingmode using the framing statement's lan option at the [edit chassis fpc

fpc-slot pic pic-slot] hierarchy level.

The interface must be configured in LAN-PHYmode using the framing-mode

statement'swan-phy option at the [edit interfaces xe-fpc-slot/pic-slot/port] hierarchy

level.

[Ethernet Interfaces]

• NewMX5, MX10, andMX40 3DUniversal Edge Routers—Three new routers based

on themodular MX80 chassis are available in Junos OS Release 11.2R3. Each router is

a compact Ethernet-optimized edge router that provides provide switching and carrier

classEthernet routing. Each routerprovides full duplex, high-densityEthernet interfaces

and high-capacity switching throughput and uses the Trio chipset for increased

scalability of L2/L3 packet forwarding, buffering, and queuing.

The ports are restricted based on the router’s associated license as follows:

• MX5 router comes prepopulatedwith the Gigabit Ethernet MICwith SFP and allows

usage of all 20 ports.

• MX10 router comesprepopulatedwith theGigabit EthernetMICwithSFPandallows

usage of all 20 ports and installation of an additional MIC in MIC slot 2.



• MX40 router allows usage of both MIC slots and the first two ports of the fixed

10-Gigabit Ethernet MIC (labeled 0/MIC 0).

• MX80 router allows usage of both MIC slots and all four ports of the 10-Gigabit

Ethernet MIC (labeled 0/MIC 0).

Licenses allowyou toupgrade fromone router to anotherwithout ahardware upgrade.

[MX5, MX10, MX40 and MX80 Hardware Guide, Line Card Guide]

• Licensesupport toenhanceportcapacityofMX5,MX10,andMX40routers—Enablesyou toenhance theport capacity of the routerwithoutahardwareupgrade, by installing

additional licenses. For example, an MX5 router, an MX10 router, or an MX40 router

can have the port capacity of an MX80 router, provided the required licenses are

installed. These routersuse featurepack licenses,whichprovideadditional port capacity

with the same hardware. The soft enforcement policy allows the user to use a port for

a certain period of time (usually a grace period of 30 days), and reverts if the license

for that feature is not installedafter thegraceperiod.During thegraceperiod, a reminder

to purchase the license is reported in the system logs. Licenses can be upgraded or

downgraded. When you downgrade the license, the port associated with the license

is unusable. The upgrade license model with the feature ID is described in Table 3 on

page 71.

Table 3: Upgrade LicenseModel for MX5, MX10, andMX40 Routers

Functionality AllowedFeature NameFeature ID

Allows usage of ports in MIC slot 2.MX5T to MX10T upgradef1

Allows usage of ports in MIC slot 2, and the first two ports ofMIC slot 0.

MX10T to MX40T upgradef2

Allows usage of ports in MIC slot 2, with all four ports of MICslot 0.

MX40T to MX80T upgradef3

To upgrade from one router to a higher-capacity router, appropriate licenses must be

installed. For example, to upgrade an MX5 router to an MX80 router, you must install

the licenses for all the three features listed in Table 3 on page 71. The three features

can be provided in a single license key for ease of use. Nonapplicable feature IDs in a

license key cause rejection of the license. If the user installs the license key for the f1

feature on an MX10 router, the license key gets rejected because the MX10 router

already has the port capacity associated with the license key for the f1 feature.

[Line Card Guide, System Basics and Services Command Reference]

• InlinestaticsourceNAT(MXSeries routerswithMPCs/MICs)—Enablesconfigurationof MPCs/MICs to perform static source NAT IPv4 to IPv4 address translation. Use the

new si (services-inline) interface type to define an interface that can be assigned to

an interface style or next-hop style service set containing a NAT rule for inline NAT

using the translation type basic-nat44.



NOTE: Stateful firewall functionality still requires a Multiservices DPC orMultiservices PIC for stateful firewall–related functionality.

Use the showservices inline nat statistics interface interface-name command to display

inline NAT statistics for all services-inline interfaces or a particular one.

[Services Interfaces, Network Interfaces, Systems Basics and Service Command

Reference]

• DS-Lite support for EIM, EIF, AP-P, and hairpinning—DS-Lite now supports:

• EIM (Endpoint Independent Mapping)—EIM ensures that the source address and

port are always mapped to the same address and port, irrespective of destination

IP address and port.

• EIF (Endpoint Independent Filtering)—EIF enables incoming traffic if at least one

outgoing packet was sent andmapping has not timed out.

• AP-P (Address Pooling Paired )—AP-P guarantees that an IP address is always

mapped to the same IP address irrespective of port numbers

• Hairpinning—Packets exiting one softwire can go back on another softwire after

twice NAT processing. This is usually the case when one host behind the softwire

initiator (B4) tries to communicate with a host behind another B4.

No newCLI configuration statements have been created to implement these features.

The following example shows a configuration that implements EIM, EIF, and AP-P.

nat {rule rule1 {match-direction input;term t1 {then {translated {source-pool pool1;translation-type {napt-44;

}mapping-type endpoint-independent;filtering-type {endpoint-independent;

}address-pooling paired;

}}

}}

}


• Ping and traceroute available for DS-Lite softwire tunnels—You can now use ping

and traceroute to determine the status of DS-Lite softwire tunnels.



• IPv6Ping—Thesoftwireaddressendpointon theDS-Litesoftwire terminator (AFTR)

is usually configured under softwire and need not be hosted on any interface. When

it is not configured on any interface or loopback, previous releases of Junos OS did

not provide replies to pings to the IPv6 softwire address. The new availability of an

IPv6pingprovidesauseful tool for the softwire initiator (B4) to verifyAFTR's softwire

address before creating a tunnel.

• IPv4 Ping—A special IPv4 address, 192.0.0.1, is reserved for AFTR. Previous releases

of Junos OS did not respond to any pings sent to this address. B4 and other IPv4

nodes can now ping to this address to see if the DS-Lite tunnel is working.

• Traceroute—AFTR now generates and forwards traceroute packets over the DS-Lite

tunnel. .

NoCLI configuration is necessary to use the new functionality. The following lines have

been added to the output of show services softwire statistics interface interface-name

ds-lite:

ICMPv4 Error Packets sent :0 ICMPv6 Packets sent :0


Junos OS XML API and Scripting

• Junos XML protocol operation <load-configuration> supports loading sets ofconfigurationmode commands—In Junos XML protocol sessions, the<load-configuration> tag element supports the value set for the action attribute,which

allows the client application to provide configuration data as a set of Junos OS

configuration mode commands. When a set of configuration mode commands is

provided as a data stream, it is enclosed in the <configuration-set> tag element.When

the set is provided in a previously saved file, the <configuration-set> tag element is not

included in the file. When the action attribute has a value of set, the default and only

acceptable value for the format attribute is text.

<rpc><load-configuration url="file-location" action="set" format="text"/>

</rpc> <rpc>

<load-configuration action="set" format="text"><configuration-set>/* configuration mode commands to load */

</configuration-set></load-configuration>

</rpc>

[Junos XMLManagement Protocol Guide]

• NETCONFPerlclient installationsupports loadingprerequisites fromCPAN—Startingwith Junos OS Release 11.4, when installing the NETCONF Perl client prerequisites, the

install-prereqs.pl script provides the option to install all Perl modules that are part of

theprerequisites directly from theComprehensivePerl ArchiveNetwork (CPAN)global

repository.



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/junos-xml-management-protocol-guide/junos-xml-management-protocol-guide.pdf

[NETCONF XMLManagement Protocol Guide]

• Support added for the format attribute in Junos XML API operational request tagswithin a Junos XML protocol or NETCONF session—In Junos XML protocol andNETCONFsessions, a client applicationcan include the format="text"or format="ascii"

attribute in the opening tag of operational requests. The server formats the reply as

ASCII text instead of the default XML-tagged format. The response, which is enclosed

in an output tag element within the <rpc-reply> tag element, is identical to the CLI

output except in caseswhere it includesdisallowedcharacters. The JunosXMLprotocol

server substitutes these characters with the equivalent predefined entity reference.

<rpc><operational-request> [format="(text | ascii)"]</operational-request>

</rpc><rpc-reply>

<output>operational-response

</output></rpc-reply>

[NETCONF XMLManagement Protocol Guide, Junos XMLManagement Protocol Guide]

• Support added for NETCONF sessions in the jcs:open() function—The jcs:open()function includes the option to create a session either with the Junos XML protocol

server on devices running Junos OS or with the NETCONF server on devices where

NETCONF service over SSH is enabled. The additional support for NETCONF sessions

permits automation scripts to configure andmanage devices in a multivendor

environment.

When specifying a session protocol, the SLAX syntax is:

var $connection = jcs:open(remote-hostname,session-options);

where session-options is an XML node-set that specifies the session protocol and

connection parameters. The structure of the node-set is:

var $session-options := {<method> ("junoscript" | "netconf" | "junos-netconf");<username> "username";<passphrase> "passphrase";<password> "password";<port> "port-number";

Specifying a <method> value of junoscript establishes a session with the Junos XML

protocol server on a device running Junos OS, specifying netconf establishes a session

with a NETCONF server over an SSHv2 connection, and specifying junos-netconf

establishes a session with the NETCONF server over an SSHv1 connection on a device

running Junos OS. If you do not specify a protocol, a junoscript session is created by

default.

[Junos OS Configuration and Operations Automation Guide]

• NETCONF Java toolkit for rapid development of Java applications tomanage Junosdevices—The toolkit provides an object-oriented programmatic interface to manage



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/netconf-guide/netconf-guide.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/netconf-guide/netconf-guide.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/junos-xml-management-protocol-guide/junos-xml-management-protocol-guide.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-automation/config-guide-automation.pdf

and configure Junos routing, switching, and security devices via NETCONF (RFC 4741)

protocol.The toolkit enablesprogrammers familiarwith the Javaprogramming language

to easily connect to a routing, switching, or security device, open a NETCONF session,

construct configuration hierarchies in XML, and create and execute operational and

configuration requests.

The NETCONF Java toolkit provides classes with methods that implement the

functionalityof theNETCONFprotocoloperationsdefined inRFC4741. All basicprotocol

operations are supported. TheNETCONFXMLmanagementprotocol usesXML-based

data encoding for configuration data and remote procedure calls. The toolkit provides

classes andmethods that aid in creating, modifying, and parsing XML.

[NETCONF Java Toolkit Guide]

Layer 2 Ethernet Services

• IPmulticast over Layer 2 trunk port support—Layer 3 multicast is now supported on

Layer 2 trunk ports through integrated routing and bridging (IRB) interfaces on the

MX80 router and on MX Series routers using Modular Port Concentrators

(MPCs)/Modular Interface Controllers (MICs).

[Layer 2]

MPLS Applications

• Support for RSVP-signaled point-to-multipoint LSPs extended to logical systems(M Series, T Series, andMX Series routers)—Starting Junos OS Release 11.4, thefollowing topologies are supported:

• A single logical system in a physical router. The logical system is one node in an

RSVP-signaled point-to-multipoint LSP.

• Multiple logical systems in a physical router, with each logical system acting as a

label-switched router (LSR). Themultiple logical systems can be unconnected,

connected to each other internally with logical tunnel (lt) interfaces, or connected

to each other externally with back-to-back connections.

• OneRSVP-signaledpoint-to-multipoint LSP,with somenodesbeing logical systems

and other nodes being physical routers.

• Support for shared risk link groups—In MPLS traffic engineering, a shared risk linkgroup (SRLG) is a set of links sharing a common resource, which affects all links in the

set if the common resource fails. These links share the same risk of failure and are

therefore considered tobelong to the sameSRLG. For example, links sharingacommon

fiber are said to be in the same SRLG because a fault with the fiber might cause all

links in the group to fail.

An SRLG is represented by a 32-bit number unique within an IGP (OSPFv2 and IS-IS)

domain. A link might belong to multiple SRLGs. The SRLG of a path in an LSP is the

set of SRLGs for all the links in the path. When computing the secondary path for an

LSP, it is preferable to find a path such that secondary and primary paths do not have

any links in common and the SRLGs for the primary and secondary paths are disjoint.



http://www.ietf.org/rfc/rfc4741.txt

http://www.ietf.org/rfc/rfc4741.txt

This ensures that a single point of failure on a particular link does not bring down both

the primary and the secondary paths in the LSP.

When SRLG is configured, the device uses the Constrained Shortest Path First (CSPF)

algorithmand tries tokeep the linksused for theprimaryandsecondarypathsmutually

exclusive. If the primary path goes down, the CSPF algorithm computes the secondary

path by trying to avoid links sharing any SRLGwith the primary path. In addition, when

computing the path for a bypass LSP, CSPF tries to avoid links sharing any SRLGwith

the protected links.

WhenSRLG is not configured, CSPFonly takes into account the costs of the linkswhen

computing the secondary path.

Any change in link SRLG information triggers the IGP to send LSP updates for the new

link SRLG information. CSPF recomputes the paths during the next round of

reoptimization.

Junos OS Release 11.4 and later support SRLG based on the following RFCs:

• RFC 4203.OSPF Extensions in Support of GeneralizedMulti-Protocol Label Switching

(GMPLS).

• RFC 5307. IS-IS Extensions in Support of Generalized Multi-Protocol Label Switching

(GMPLS).

To configure the SRLG name, cost, and value, include the srlg srlg-name statement at

the following hierarchy levels:

• [edit routing-options]

• [edit logical-systems logical-system-name routing-options]

The srlg srlg-name statement has the following options:

• srlg-cost—Include a cost for the SRLG ranging from 1 through 65535. The cost of

the SRLG determines the level of impact this SRLG has on the CSPF algorithm for

path computations. The higher the cost, the less likely it is for a secondary path

to share the same SRLG as the primary path. By default, the srlg-cost is 1.

• srlg-value—Include a group ID for the SRLG ranging from 1 through 4294967295.

• Associate the SRLGwith the MPLS interface at the [edit protocolsmpls interface

interface-name]or [edit logical-systems logical-system-nameprotocolsmpls interface

interface-name] hierarchy level.

• For critical links where it is imperative to keep the secondary and primary paths

completely disjoint from any common SRLG, configure the exclude-srlg statement

at the [edit protocolsmpls label-switched-path path-name] or [edit logical-systems

logical-system-name protocolsmpls label-switched-path path-name] hierarchy level.

If exclude-srlg is configured, the CSPF algorithm excludes any link belonging to the

set ofSRLGs in theprimarypath. If exclude-srlg is not configured, and if a linkbelongs

to the set of SRLGs in the primary path, CSPF adds the SRLG cost to themetric, but

still accepts the link for computing the path.



• Tomake the dynamic bypass LSP and the protected link completely disjoint in any

SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface

interface-name link-protection]or [edit logical-systems logical-system-nameprotocols

rsvp interface interface-name link-protection] hierarchy level.

• Tomake themanual bypass LSP and the protected link to be completely disjoint in

any SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface

interface-name link-protection bypass destination] hierarchy level or the [edit

logical-systems logical-system-name protocols rsvp interface interface-name

link-protection bypass destination] hierarchy level.

For manual and dynamic bypass LSPs, if exclude-srlg is configured, the CSPF

algorithm excludes any link belonging to the set of SRLGs of the protected link. If

exclude-srlg is not configured, and if a link belongs to the set of SRLGs of the

protected link, CSPF adds the SRLG cost to the link metric, but still accepts the link

for computing the path.

Use the following operational mode commands to verify the SRLG configuration:

• showmpls srlg—Verify SRLG-to-value mappings and SRLG cost.

• showmpls lsp—Verify thatwhen theprimary or secondary path is up, the appropriate

SRLG values are shown.

• showmpls interface—Verify that the correct SRLG is associatedwith the appropriate

interface.

• show isis database extensive and show ospf database extensive—Verify the SRLG

values in the type length values (TLV).

• show ted database extensive and show ted link detail—Verify that the output shows

the correct SRLG on the TE link.

• showmpls admin-groups-extended—ViewMPLS extended administrative groups.

[MPLS]

• Support for MPLS feature interoperability (MX Series routers with MPC/MICinterfaces)—Extends support forMPLS feature interoperabilitywith JunosOSReleases9.5 through 10.0 on MX Series routers with MPC/MIC interfaces. MPLS features can

now interoperate between MPCs and DPCs on MX Series routers.

The following features are supported on MPC/MIC interfaces:

• Configuring up to 64 equal-cost multipaths (ECMP) next hops to load-balance the

traffic on various routes such as OSPF, BGP, and IS-IS.

• Configuring a network of RSVP-signaled MPLS routers to automatically update the

full mesh of label-switched paths (LSPs) between the provider edge (PE) routers

whenever a new PE router is added.

[System Basics Configuration Guide,MPLS Configuration Guide]

• Enhanced support for Junos Trio chipsets—Starting with Junos OS Release 11.4, the

Junos Trio chipset supports the following features:



• Multicast load balancing of point-to-multipoint label-swicted-paths (LSPs) over

aggregated Ethernet child links.

• Automatic policers for MPLS point-to-multipoint LSPs.

• Display of packet and byte statistics for sub-LSPs of a point-to-multipoint LSP.

• GRES and graceful restart for MPLS point-to-multipoint LSPs.

• Multicast virtual private network (MVPN) extranet or overlapping functionality.

[MPLS, VPNs]

• LSP setup protection using facility backup fast reroute—The facility-backup fastreroute mechanism has been extended to provide setup protection for LSPs that are

in the process of being signaled. This feature is applicable in the following scenario:

1. A failed link or node is present on the strict explicit path of an LSP before the LSP

is signaled.

2. There is also a bypass LSP protecting the link or node.

3. RSVPsignals theLSP through thebypassLSP.TheLSPappearsas if itwasoriginally

set up along its primary path and then failed over to the bypass LSP because of the

link or node failure.

4. When the link or node has recovered, the LSP can be automatically reverted to the

primary path.

Both point-to-point LSPs and point-to-multipoint LSPs are supported. To enable LSP

setup protection, configure the setup-protection statement at the [edit protocols rsvp]

hierarchy level. You should configure the setup-protection statement on each of the

routers along the LSP path on which you want to enable LSP setup protection. You

should also configure IGP traffic engineering on all of the routers on the LSP path. You

can issuea showrsvpsessioncommand todeterminewhetheror not theLSPhassetup

protection enabled on a router acting as a point of local repair (PLR) or amerge point.

[MPLS Applications]



NetworkManagement

• New enterprise-specific MIBs to view PPP and PPPoE information (M Series andMX Series routers)—Junos OS Release 11.4 introduces three new enterprise-specific

MIBs to extend SNMP support for PPP and PPPoE: JNX-PPP-MIB (RFC 1661),

PPP-LCP-MIB (RFC 1471), and JNX-PPPOE-MIB (RFC 2516). TheseMIBs contain PPP-

and PPPoE-related information such as the type of authentication used, interface

characteristics, status, and statistics.

You can access this information using SNMP get and get-next requests. If an attribute

is not supported, the attribute returns either zero or the default value.

This feature does not support creation or configuration of PPP or PPPoE interfaces

using the SNMP set requests.

[SNMPMIBs and Traps Reference]

• Support forP2MPMPLS-TEMIB—StartingRelease 11.3, JunosOSsupports thestandardP2MPMPLS-TE MIB as defined in draft-ietf-mpls-p2mp-te-mib-09.txt. Support for

P2MPMPLS-TE MIB augments the standard P2PMPLS-TE MIB defined in RFC 3812

andextendsSNMPsupport topoint-to-multipoint tunnel-relateddata.However, Junos

OS implementation of the standard P2MPMPLS-TE MIB does not support

mplsTeP2mpTunnelBranchPerfTable because Junos OS does not support the

corresponding table in MPLS-TE MIB.


• SNMPsupport forLACandLNS(MXSeries routerswithMPC/MIC interfaces)—SNMPextends support for MX Series routers with MPC/MIC interfaces acting as the L2TP

network server (LNS) and L2TP access concentrator (LAC) in Junos OS Release 11.4

and later. In earlier releases, SNMP support for LAC and LNSwas provided only for M

Series routers.

Theexistingenterprise-specificMIB, JNX-L2TP-MIB, nowmaintains tunnel andsession

information for both M Series and MX Series routers. The MX Series routers use the

Common Edge L2TP process, jl2tpd.

The following objects are not supportedon the jl2tpd LAC in jnxL2TPTunnelStatsTable

and jnxL2TPSessionStatsTable:

• jnxL2tpTunnelStatsServiceInterface (applicable to LNS only)

• jnxL2tpTunnelStatsTunnelGroup (applicable to LNS only)

• jnxL2tpSessionStatsServiceInterface (applicable to LNS only)

• jnxL2tpSessionStatsTunnelGroup (applicable to LNS only)

• jnxL2tpSessionStatsInterfaceID (Applicable to LNS only)

The following objects are not supported on jl2tpd:

• jnxL2tpSessionStatsUserName

• jnxL2tpSessionAssignedIpAddrType



• jnxL2tpSessionAssignedIpAddress

• jnxL2tpSessionLocalMRU

• jnxL2tpSessionRemoteMRU

• jnxL2tpSessionStatsAuthMethod

• jnxL2tpSessionStatsNasIpAddrType

• jnxL2tpSessionStatsNasIpAddress

• jnxL2tpSessionStatsNasIpPort

• jnxL2tpSessionStatsFramedProtocol

• jnxL2tpSessionStatsFramedIpAddrType

• jnxL2tpSessionStatsFramedIpAddress

• jnxL2tpSessionStatsAcctDelayTime

• jnxL2tpSessionStatsAcctSessionID

• jnxL2tpSessionStatsAcctMethod

• jnxL2tpSessionStatsAcctSessionTime

• jnxL2tpSessionStatsAcctNasPortType

• jnxL2tpSessionStatsAcctTnlClientAuthID

• jnxL2tpSessionStatsAcctTnlServerAuthID

• jnxL2tpSessionStatsUserProfileName

The following objects in jnxL2tpTunnelStatsTable are not available on MPC/MICs:

• jnxL2tpTunnelStatsErrorTxPkts

• jnxL2tpTunnelStatsErrorRxPkts

These objects continue to be supported by the M Series routers. You can access the

tunnel- and session-related information for both the processes using SNMP get and

get-next requests. If an object is not supported, the object returns either zero or the

default value.


• Enhancements to the jnxOperatingCPUObject—Junos OS Release 11.3 introduces thefollowing three MIB objects to enhance the CPU utilization reporting over SNMP:

• jnxOperating1MinAvgCPU—Indicates the average utilization of CPU during the last

minute.


5-minute period.




15-minute period.

All these objects return a zero value if the data is not available or is not applicable.


• Support for the pimNeighborLoss trap—Starting Release 11.4, Junos OS supports thepimNeighborLoss trap as defined in RFC 2934. The Junos OS implementation of RFC

2934 is based on a draft version of the PIMMIB as defined in the pimmib.mib in the

Junos OS Standard MIBs package.

The pimNeighborLoss trap is generated when the device loses the adjacency with its

only neighbor that has an IP address lower than that of the interface to which the

neighbor is connected.


• MIBSupport forVRFRouteEntries: StartingRelease 11.4, JunosOSextends theSNMPsupport to Layer 3 Virtual Private Network (VPN) Routing and Forwarding Table (VRF)

entries as defined in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB.

The Junos OS support for RFC 4382 includes the following scalar objects and tables:

• mplsL3VpnConfiguredVrfs

• mplsL3VpnActiveVrfs

• mplsL3VpnConnectedInterfaces

• mplsL3VpnNotificationEnable

• mplsL3VpnVrfConfMaxPossRts

• mplsL3VpnVrfConfRteMxThrshTime

• mplsL3VpnIllLblRcvThrsh

• mplsL3VpnVrfTable

• mplsL3VpnIfConfTable

• mplsL3VpnVrfPerfTable

• mplsL3VpnVrfRteTable

• mplsVpnVrfRTTable

[ SNMPMIBs and Traps Reference ]

• Junos OSMIB support for VPLS: Starting with Release 11.4, Junos OS extends SNMPsupport to virtual private LAN services (VPLS) networks so that users can access

VPLS-related data over SNMP. The Junos OS SNMP support for VPLS covers both

BGP-based and LDP-based VPLS networks.



The Junos OS SNMP support for VPLS is based on the IETF standard MIB

draft-ietf-l2vpn-vpls-mib-05.txt. Juniper Networks extension of the following MIBs

defined indraft-ietf-l2vpn-vpls-mib-05.txtare implementedaspartof the jnxExperiment

branch:

• VPLS-Generic-Draft-01-MIB implemented asmib-jnx-vpls-generic.txt.

• VPLS-BGP-Draft-01-MIB implemented asmib-jnx-vpls-bgp.txt.

• VPLS-LDP-Draft-01-MIB implemented asmib-jnx-vpls-ldp.txt.

In the Junos OS implementation of these MIBs, all MIB objects are prefixed with jnx.


• Extendedsupport for theenterprise-specificLicenseMIB—Starting JunosOSRelease11.3, the enterprise-specific License MIB is supported on all devices running Junos OS.

The enterprise-specific LicenseMIBwas supported only on SRX deviceswhen License

MIB was introduced in Junos OS Release 11.2.


• SNMP poll and trap support for DHCP leases (MX Series 3D Universal EdgeRouters)—The Juniper Networks enterprise-specific DHCP and DHCPv6MIB objects,jnxJdhcpMIB and jnxJdhcpv6MIB, have beenmodified to contain a new table for

interface statistics and additional notifications. This feature includes support for gets

and traps and support for DHCP local server and relay and DHCPv6 local server.


• SNMP support for address counters (MX Series 3D Universal Edge Routers)—Thisfeature provides the ability to track the usage of address resources off-chassis.


Routing Protocols

• For internal BGP (IBGP), advertisemultiple paths to a destination (M Series, MXSeries,andTSeries routers)—For IPv4unicast (family inetunicast) routesonly, enablesan IBGPpeer to advertisemultiple exit points to reachadestination. This provides fault

tolerance, load balancing, and graceful maintenance operations.

To set thenumber of paths to send toaneighbor, include theadd-pathsendpath-count

number statement at the [edit protocolsbgpgroupgroup-nameneighboraddress family

inet unicast] hierarchy level.

To enable a peer to receive multiple paths, include the add-path receive statement at

the [edit protocols bgp group group-name family inet unicast] hierarchy level.

To apply a policy that allows aBGPpeer to sendmultiple paths for only specific routes,

include the add-path send prefix-policy policy-name statement at the [edit protocols

bgp group group-name neighbor address family inet unicast] hierarchy level.

To configure the policy, use the policy-options hierarchy level, as you normally would.

For example:



user@host# set policy-options policy-statement allow_199 from route-filter199.1.1.1/32 exact

user@host# set policy-options policy-statement allow_199 then accept

[Routing Policy]

• Frequent BGP keepalivemessages and short BGPhold time—Enables BGP sessionsto send frequent keepalive messages with a hold time as short as 10 seconds. Note

that the hold time is three times the interval at which keepalive messages are sent,

and the hold time is the maximum number of seconds allowed to elapse between

successive keepalive messages that BGP receives from a peer. When establishing a

BGP connection with the local routing device, a peer sends an openmessage, which

contains a hold-time value. BGP on the local routing device uses the smaller of either

the local hold-time value or the peer’s hold-time value as the hold time for the BGP

connection between the two peers. The default hold time is 90 seconds,meaning that

the default frequency for keepalive messages is 30 seconds. More frequent keepalive

messages and shorter hold timesmight be desirable in large-scale deployments with

many active sessions (such as edge or large VPN deployments).

To configure the hold time and the frequency of keepalive messages, include the

hold-time statement at the [edit protocols bgp] hierarchy level. You can configure the

hold time at a logical-system, routing-instance, global, group, or neighbor level. When

you set a hold-time value to less than 20 seconds, we recommend that you also

configure theBGPprecision-timers statement. Theprecision-timers statementensures

that if scheduler slip messages occur, the routing device continues to send keepalive

messages. When the precision-timers statement is included, keepalive message

generation is performed in a dedicated kernel thread, which helps to prevent BGP

session flaps.

[Routing Protocols]

Subscriber AccessManagement

• Junos OS subscriber management scaling values (M120, M320, andMX Seriesrouters)—Aspreadsheet is availableonline that lists scaling values supported for JunosOSsubscribermanagementbeginningwith JunosOSRelease 10.1.Access theSubscriber

Management Scaling Values (XLS) spreadsheet from the Downloads box at

http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products

/pathway-pages/subscriber-access/index.html. Substitute the number of the latest

Junos OS release for the release-number. For example, ...en_us/junos11.1/....

[Subscriber Management Scaling]

• Configuring connection speeds on the LAC (MX Series 3D Universal EdgeRouters)—You can configure the resource used by the LAC to determine the settingfor the speed of the connection from the LAC to the LNS (transmit speed) and of the

connection from the LNS to the LAC (receive speed). The LAC sends the speeds to the

LNS in Incoming-Call-Connected (ICCN)messages; the transmit speed is conveyed

by AVP 24 and the receive speed by AVP 38.

To use the recommended downstream traffic shaping rate for AVP 24 and the

recommendedupstreamshaping rate forAVP38, include the tx-connect-speed-method



http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products/pathway-pages/subscriber-access/index.html

http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products/pathway-pages/subscriber-access/index.html

advisory statement at the [edit services l2tp]hierarchy level. You configure theadvisory

rates under the PPPoE logical interface underlying the subscriber interface with the

advisory-options statement at the [edit interfaces interface-name unit

logical-unit-number] hierarchy level. If the advisory speed is not configured on the

underlying interface, then the tx-connect-speed-method advisory statement

automatically sets the speed to 1 Gbps and sends this value in both AVP 24 and AVP

38.

Alternatively, to derive the speeds from the PPPoE IA tags, use the

tx-connect-speed-method dsl-forum statement. In this case, AVP 24 is the value of

Actual-Data-Rate-Downstream (VSA 26-129). AVP 38 is the value of

Actual-Data-Rate-Upstream (26-130), and is sent only when the VSA values differ.

[Subscriber Access]

• Support for hierarchical policer as filter action (MX Series router)—This featureenables you to have hierarchial policers as one type of filter action. Hierarchial policers

rate-limit premium traffic separately from the aggregate traffic on an interface as

determined by different configured rates. This feature is useful in provider edge

applications using aggregate policing for general traffic and to apply a separate policer

for premium traffic on a logical or physical interface. To enable all hierarchical policers

of the same name in one filter to share the same policer instance in PFE, use the

filter-specific statement at the [edit firewall] hierarchy level.

[Subscriber Access]

• Unified ISSUsupport forsubscribermanagementPPPoEaccessmodel(M120,M320,andMX Series routers)—Extends support for the unified in-service software upgrade(unified ISSU) feature to the PPPoE access model used by subscriber management.

This support ensures that the router preserves all active PPPoE subscriber sessions

and session services after completion of a unified ISSU.

Unified ISSU for static anddynamicPPPoEaccess in subscribermanagement supports

the following features:

• Terminated, non-tunneled PPPoE connections configured with static or dynamic

PPP logical interfaces and static or dynamic PPPoE underlying interfaces

• Subscriber services on single-link PPP interfaces

• Preservationof statistics for accounting, filter, andclassof service (CoS)onMPC/MIC

interfaces

NOTE: Accounting statistics are not preserved after a unified ISSU onM120andM320routerswithEnhanced IntelligentQueuing2(IQ2E)PICs.

Unified ISSU for static and dynamic PPPoE access in subscriber management does

not supportMultilink Point-to-Point Protocol (MLPPP) bundle interfaces. (MLPPP

bundle interfaces require the use of an Adaptive Services PIC or Multiservices PIC to

provide PPP subscriber services. These PICs do not support unified ISSU.)



You use the existing CLI statements and procedure to configure and initiate unified

ISSU for subscriber management. To display information about the state of unified

ISSU for subscriber management features, you can use the existing show system

subscriber-management summary operational command.

[Subscriber Access, High Availability]

• PPPoE encapsulation type lockout support (M120, M320, andMX Seriesrouters)—Enables you toconfigure the router toprevent (lockout)a failedor short-livedPPPoE subscriber session from reconnecting for a temporary period of time known as

the lockout period. The lockout period is derived from a formula and increases

exponentially based on the number of successive reconnection failures.

Configuring PPPoE encapsulation type lockout protects the router and any external

authentication, authorization, and accounting (AAA) servers, such as RADIUS or

Diameter, from excessive loading as a result of failed or short-lived PPPoE subscriber

sessions that occur repeatedly for the same subscriber. Subscriber sessions are

identified by their uniquemedia access control (MAC) source address.

WhenyouconfigurePPPoEencapsulation type lockout, the router detectsa short-lived

(also referred to as a short-cycle) subscriber session, determines the time between

repeated short-cycle events, and applies a time penalty for each short-cycle event

based on a default or configured lockout period. This action temporarily locks out the

specified PPPoE subscriber by preventing connection to the router. When the lockout

periodexpires, negotiationof thePPPoEsubscriber sessionandassociatedMACsource

address resumes.

ConfigurationofPPPoEencapsulation type lockout is supportedon IntelligentQueuing

2 (IQ2) PICs on M120 and M320 routers, and on MPC/MIC interfaces on MX Series

routers. You can configure PPPoE encapsulation type lockout for all of the following

static and dynamic PPPoE underlying interface types:

• Static VLAN logical interface

• Static VLAN demultiplexing (demux) logical interface

• Dynamic VLAN logical interface

• Dynamic VLAN demultiplexing (demux) logical interface

PPPoE encapsulation type lockout is disabled by default. To configure PPPoE

encapsulation type lockoutandanoptional lockoutperiod, in seconds, youmust include

the new short-cycle-protection statement at any of the following hierarchy levels:

• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family

pppoe]

• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number

family pppoe]


pppoe-underlying-options]

• [edit interfaces demux0 unit logical-unit-number family pppoe]



• [edit interfaces interface-name unit logical-unit-number family pppoe]

• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]

• [edit logical-systems logical-system-name interfaces interface-name unit

logical-unit-number family pppoe]


logical-unit-number pppoe-underlying-options]

If you include the short-cycle-protection statement without specifying the lockout

period, the routeruses thedefault lockoutperiodof 1 through300seconds(5minutes).

To display information about the PPPoE encapsulation type lockout configuration on

the PPPoE underlying interface, use the show pppoe lockout operational command,

new in Junos OS Release 11.4, or the show pppoe underlying-interfaces operational

command, enhanced in Junos OS Release 11.4. You can also use the new clear pppoe

lockout operational command to clear the lockout condition for a specific MAC source

address on a specific underlying interface, for all MAC source addresses on a specific

underlying interface, or for all MAC source addresses on all underlying interfaces.

[Subscriber Access, Interfaces Command Reference, Ethernet Interfaces]

• Expression support for dynamic profiles (MX Series routers)—Junos OS Release 11.4supports the use of expressions for dynamic profile variables. Expressions are groups

of arithmetic operators, string operators, and operands that you can create for use as

variables within dynamic profiles.

To configure expressions, include the expression operators and operands at the [edit

dynamic-profiles profile-name variables] hierarchy level.

Table 4 on page 86 lists supported operators and functions you can use to create

expressions.

NOTE: Precedence 1 is the lowest level.

Table 4: Operators and Functions

ActionPrecedenceAssociativityOperatorOperation

Adds the elements to the right and left of theoperator together.

1Left+ArithmeticAddition

Subtracts the element to the right of theoperator from the element to the left of theoperator.

1Left-ArithmeticSubtraction

Multiplies theelement to the left of theoperatorby the element to the right of the operator.

2Left*ArithmeticMultiplication

Divides the element to the left of the operatorby the element to the right of the operator.

2Left/ArithmeticDivision



Table 4: Operators and Functions (continued)

ActionPrecedenceAssociativityOperatorOperation

Divides the element to the left of the operatorby the element to the right of the operator andreturns the integer remainder. If the element tothe left of the operator is less than the elementto the right of the operator, the result is theelement to the left of the operator.

2Left%ArithmeticModulo

Creates a new string by joining the string valuesto the left of the operator and the values to theright of the operator together.

3Left##Concatenation

Takes the maximum of the two values passedas parameters.

4Leftmax(param1,param2)Maximum

Takes the minimum of the two values passedas parameters.

4Leftmin(param1,param2)Minimum

Rounds the value to the nearest integer.4-round(param1)Round

Truncates a non-integer value to the value leftof the decimal point.

4-trunc(param1)Truncate

Converts the variable inside the parentheses toa null terminated string.

4-toStr(param1)Convert to String

Converts the parameter to an integer. A singlestring or variable is allowed as a parameter.

4-toInt(param1)Convert to Integer

Generates a random numerical value.4-rand()Random

Groups operands and operators to achieveresults different from simple precedence;effectively has the highest precedence.

5-( )Parentheses

[Subscriber Access]

• L2TP LAC support for unified ISSU (MXSeries 3DUniversal Edge Routers)—UnifiedISSU for tunneled PPP clients over PPPoE is now fully supported on L2TP LACs onMX

Series routers. When a unified ISSU is initiated, the LAC completes any L2TP

negotiations that are in progress but rejects any new negotiations until the upgrade

has completed. No new tunnels or sessions are established during the upgrade.

Subscriber logouts are recorded during the upgrade and are completed after the

upgrade has completed.

L2TP LNS on MX Series routers supports only unified ISSU challenged behavior. The

upgrade is gracefully rejected and does not proceed when any LNS destination exists,

regardless of whether tunnels or sessions have been established.

Unified ISSU is not supported by L2TP on M Series routers.

[Subscriber Access, High Availability]



• DHCPv6support(MXSeriesrouters)—SubscribermanagementnowsupportsDHCPv6relay. DHCPv6 relay passesmessages between aDHCPv6 client and aDHCPv6 server,

and provides the type of support within an IPv6 network that the previously supported

DHCP relay provides in an IPv4 network. DHCPv6 relay interacts with the AAA service

framework tomanage subscriber access and accounting. This interaction enables the

relay to use an external authority, such as RADIUS, to provide IPv6 prefixes, client

authentication, and configuration options.

To configure DHCPv6 relay, you use the dhcpv6 statement at the [edit

forwarding-optionsdhcp-relay] hierarchy level. Subscribermanagement also supports

new operational commands that you can use to query the system and display

information about DHCPv6 relay bindings and statistics.

Table 5 on page 88 lists the DHCPv6 relay statements and operational commands

that are introduced at the indicated hierarchy levels in Junos OS Release 11.4:

Table 5: DHCPv6 Relay Support for New Statements and OperationalCommands

Supported Hierarchy LevelStatement or Command

[edit forwarding-options dhcp-relay]dhcpv6

[edit forwarding-options dhcp-relay dhcpv6]relay-agent-interface-id

[edit forwarding-options dhcp-relay dhcpv6 authenticationusername-include]

and

[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication username-include]

• relay-agent-interface-id

• relay-agent-remote-id

• relay-agent-subscriber-id

CLI operational mode• clear dhcpv6 relay binding

• clear dhcpv6 relay statistics

• show dhcpv6 relay binding

• show dhcpv6 relay statistics

Table 6 on page 88 lists the existing statements that are now supported for DHCPv6

relay at the indicated hierarchy levels:

Table 6: DHCPv6 Relay Support for Existing Statements

Supported Hierarchy LevelStatement

[edit forwarding-options dhcp-relay dhcpv6]• active-server-group

• authentication

• dynamic-profile

• group

• overrides

• server-group



Table 6: DHCPv6 Relay Support for Existing Statements (continued)

Supported Hierarchy LevelStatement

[edit forwarding-options dhcp-relay dhcpv6 authentication]

and

[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication]

• password

• username-include

[edit forwarding-options dhcp-relay dhcpv6 authenticationusername-include]

and

[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication username-include]

• circuit-type

• delimiter

• domain-name

• logical-system-name

• routing-instance-name

• user-prefix

[edit forwarding-options dhcp-relay dhcpv6 dynamic-profile]

and

[edit forwarding-options dhcp-relay dhcpv6 group group-namedynamic-profile]

• aggregate-clients

• use-primary

[edit forwarding-options dhcp-relay dhcpv6],

[edit forwarding-options dhcp-relay dhcpv6 group group-name],

and

[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name]

• overrides

[edit forwarding-options dhcp-relay dhcpv6relay-agent-interface-id]

and

[edit forwarding-options dhcp-relay dhcpv6 group group-namerelay-agent-interface-id]

• prefix

• use-interface-description

[edit forwarding-options dhcp-relay dhcpv6 overrides],

[edit forwarding-options dhcp-relay dhcpv6 group group-nameoverrides],

and

[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name overrides]

• interface-client-limit

• no-bind-on-request

• send-release-on-delete

[edit forwarding-options dhcp-relay dhcpv6 group group-name]interface

[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name]

trace



[Subscriber Access]

• Support for hierarchical CoS on interface sets of aggregated Ethernet interfaces(MX Series routers)—Enables you to apply hierarchial CoS to demux and PPPoEsubscribers configured in interface sets of aggregated Ethernet interfaces. This feature

is supported on MPC/MICmodules on MX Series routers. Youmust apply static CoS

parameters to interface sets.

You can configure the aggregated Ethernet interface with or without link protection.

In addition, you can set the distribution model of the logical interfaces within the

interface set to hash-based distribution or targeted distribution.

The linkmembership list and scheduler mode of the interface set is inherited from the

underlying aggregated Ethernet interface over which the interface set is configured.

When an aggregated Ethernet interface operates in link protection mode, or if the

scheduler mode is set tomember-link-scheduler replicate, the scheduling parameters

of the interface set are copied to each of the member links. If the scheduler mode of

theaggregatedEthernet interface is set tomember-link-scheduler scale, the scheduling

parameters are scaled based on the number of active member links and applied to

each of the aggregated interface member links.

To create an interface set, include the interface-set interface-set-name statement at

the [edit interfaces]hierarchy level or the [editdynamic-profilesprofile-name interfaces]

hierarchy level. You can add demux or PPPoE interfaces to the set by including the

interface interface-name unit logical-unit-number statement at the [edit interfaces

interface-set interface-set-name] or the [edit dynamic-profiles profile-name interfaces

interface-set interface-set-name] hierarchy level.

To apply scheduling and queuing parameters to the interface set, include the

output-traffic-control-profile profile-name statement at the [edit class-of-service

interfaces interface-set interface-set-name] hierarchy level.


• Support for dynamic profile versions (MX Series routers)—Junos OS Release 11.4provides the ability to create new versions of dynamic profiles that are currently in use

by subscribers. Any subscriber that logs in following a dynamic profile modification

uses the latest version of the dynamic profile. Subscribers that are already active

continue touse theolder versionof thedynamicprofile until they logoutor their session

terminates.

Toenable theconfigurationofdynamicprofile versions, include theversioningstatement

at the [edit system dynamic-profile-options] hierarchy level.

When creating versions of dynamic profiles, keep the following in mind:

• You can enable or disable dynamic profile versioning regardless ofwhether dynamic

profiles are configured or not.

• Each version of a dynamic profile is stored in the profile database as a new profile.

• The name of the new profile version is derived by appending a four-character tag

string to the original base dynamic profile name. This tag string contains two dollar

sign ($) characters to identify the version field of the profile name. These two



characters are followed by two numerical characters that represent the version

number of the dynamic profile (for example, 01).

• Thedynamicprofile that youmodify is always storedas the latest version. Youcannot

create amodified dynamic profile and save it as an earlier version. For example, if

youmodify version three of a dynamic profile, it is saved as version four.

• You canmodify only the latest version of a dynamic profile.

• If the dynamic profile version that youmodify is not in use by any subscriber, the

profile is overwritten with committed changes without creating a new version.

• You can create amaximum of 10 versions of each dynamic profile.

• If all 10 versions of a dynamic profile already exist, any modification to the dynamic

profile results in modifying the latest version of that profile (that is, version $$10). If

this version is in use, any modification attempt fails upon commit.

• You can delete a dynamic profile only when it is not in use.

• The dynamic profile version feature supports graceful restart and unified ISSU.

The show subscriber command has been enhanced to display the dynamic profile

name and current version (when appropriate) in the Dynamic Profile Name field for

each subscriber.

[Subscriber Access]

• Subscriber secure policy support for IPv6 traffic (MX Series routers)—Subscribersecure policy nowmirrors IPv6 traffic as well as IPv4 traffic. IPv6mirroring uses the

existing statements and configuration procedures and requires no additional steps.

As in the case of IPv4mirroring, the IPv6 traffic is encapsulated in a UDP packet and

sent to the mediation device. IPv6mirroring can be based on information provided by

either RADIUS or Dynamic Tasking Control Protocol (DTCP).

[Subscriber Access]

• Duplicate RADIUS accounting reports (MX Series routers)—By default, subscribermanagementsendsRADIUSaccounting reports to theaccountingservers in thecontext

inwhich the subscriberwas last authenticated.However, in aLayer 3wholesalenetwork

solution, the wholesaler and retailer might use different RADIUS accounting servers,

andbothmightwant to receive theaccounting reports. Youcannowconfigureduplicate

account reporting, and specify that subscriber management send the same RADIUS

accounting report to both the wholesaler and the retailer accounting servers.

To configure duplicate RADIUS accounting, you include the duplication statement at

the [edit access profile profile-name accounting] hierarchy level.

[Subscriber Access]

• Centrally configured per-subscriber DHCP options (VSA 26-55) (MX Seriesrouters)—Subscriber management enables you to centrally configure DHCP optionsonaRADIUSserver anddistribute theoptionsonaper-subscriberbasis. Youuse Juniper

Networks VSA 26-55 to include the DHCP options information in the Access-Accept



message sent from the RADIUS server to the RADIUS client, and on to DHCP local

server for return to the DHCP subscriber.

The centrally configured DHCP options feature is supported for DHCP local server.

DHCP local server provides a passthrough operation, performing minimal processing

and error checking of the DHCP options string that the RADIUS server sends in VSA

26-55. Thenew featuredoesnotaffect thepreviously supported functionality, inwhich

VSA 26-55 is configured by DHCP local server or DHCP relay agent. Subscriber

management supports the previous and new functionality for both DHCPv4 and

DHCPv6.

[Subscriber Access]

• Support for concurrent IPoEDHCPandPPPoE logical interfaces on the sameVLAN(MX Series routers with MPC/MIC interfaces)—Junos OS Release 11.4 supports theconfiguration of VLAN interfaces with multiple protocol interface stacks at the same

time. This means that you can now configure both IPoE DHCP logical interfaces and

PPPoE logical interfaces concurrently over the same VLAN interface.

Configuring PPPoE concurrently with IPoE DHCP on the same VLAN interface requires

that you use the family pppoe statement at the [edit interfaces interface-name unit

logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name

unit logical-unit-number], [edit dynamic-profiles profile-name interfaces demux0 unit

logical-unit-number], or [edit dynamic-profiles profile-name interfaces interface-name

unit logical-unit-number]hierarchy level. This statement is supportedonly onMXSeries

routers with MPCs. However, all features specific to DHCP and PPPoE interfaces are

supported with concurrent configuration on this platform.

[Subscriber Access]

• Support for processing DHCP information requestmessages (M120 andM320MultiserviceEdgeRouters,MXSeries3DUniversal EdgeRouters)—Bydefault, DHCPlocal server and DHCPv6 local server ignore any DHCP information request messages

that they receive. You can now override this default behavior to enable processing of

these messages. Include the process-inform statement at any of the [edit ... system

services dhcp-local-server ... overrides] or [edit ... system services dhcp-local-server

dhcpv6 ... overrides] hierarchy levels. Overriding the default behavior is appropriate

when the servers have DHCP clients with externally provided addresses; these clients

might send DHCP information request messages to the server to request further

configuration information from the server.

By default, DHCP relay and DHCP relay proxy now automatically forward DHCP

information request messages without modification as long as the messages are

received on an interface configured for a DHCP server group. DHCP relay drops

information request messages that it receives on any other interfaces. You cannot

disable this default DHCP relay and relay proxy behavior.

The information requested by these clients has typically been configured with the

dhcp-attributes statement for anaddresspool definedby theaddress-assignmentpool

pool-name statement at the [edit access] hierarchy level.

When you enable processing of DHCP information requestmessages, include the pool

pool-name statement at the [edit system services dhcp-local-server overrides



process-inform] or [edit system services dhcp-local-server dhcpv6 overrides

process-inform] hierarchy level to optionally specify a pool name fromwhich the local

server retrieves the requested configuration information for the client. If you do not

specify a local pool, then the local server requests that AAA select and return only the

name of the relevant pool.

WhenDHCPv6 is configuredoverPPP interfaces, thePPPRADIUSauthenticationdata

can be used to select the pool fromwhich the response information is taken.

Additionally, other RADIUS attributes can also be inserted into the DHCPv6 reply

message. If an overlap exists between RADIUS attributes and local pool attributes,

the RADIUS values are used instead of the local configuration data. If no RADIUS

information is received from the underlying PPP interface, then the behavior is the

same as described above for non-PPP interfaces.

DHCP local server responds to the client with a DHCP ackmessage that includes the

requested information—if it is available. DHCPv6 local server responds in the same

manner but uses a DHCP reply message. No subscriber management is applied as a

result of the DHCP informmessage.

[Subscriber Access]

• Support forVLANIDasaselector for IPdemux interfaces(MXSeries routers)—JunosOS Release 11.4 supports the configuration of IP demux interfaces using VLAN IDs as

the selector. You can now configure dynamic IP demux interfaces over either static or

dynamic VLAN demux interfaces. This feature provides the following support:

• Only single and dual VLAN tag options are supported as VLAN selectors.

• Both inet and inet6 families are supported.

• All firewall and CoS features are supported.

• Both static and dynamic demux interface creation is supported, including autosense

VLAN creation.

• Both DPC and MPCmodules are supported.

For details about how to configure dynamic IP demux interfaces over static or dynamic

VLAN demux interfaces, see the Junos OS Special Document for Release 11.4 M Series,

MX Series, and T Series Routers and the Junos OS Subscriber Access Configuration Guide.

[Subscriber Access]

• Support for session and idle timeouts for L2TP tunneled subscriber sessions (MXSeries3DUniversalEdgeRouters)—Youcannowmanage the lengthofL2TPtunneledsubscriber sessions by including the client-idle-timeout statement, the

client-session-timeout statement, or both, at the [edit access profile profile-name

session-options] hierarchy level. This functionality was previously supported only for

PPP-terminated subscriber sessions.

The session timeout defines how long the subscriber session is allowed tobeupbefore

it is terminated, regardless of user activity. The idle timeout monitors the session for

upstream and downstream traffic, and terminates the session when there has been

no traffic for the specified period. These timeouts apply on a per-routing-instance

basis.



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-subscriber-access/config-guide-subscriber-access.pdf

You can also configure these limits on a per-subscriber basis with RADIUS attributes

Session-Timeout [27] and Idle-Timeout [28]. The RADIUS attributes returned for a

particular subscriber override any value set by the access profile appliedwhen the user

logs in.

Issue the show subscribers detail command to display the session and idle timeouts

applied to the subscribers’ sessions.

[Subscriber Access]

• Testing L2TP tunnel configurations on an L2TP LAC (MX Series 3D Universal EdgeRouters)—You can now test L2TP tunnel configurations on an MX Series router

configured as an L2TP LAC. In earlier releases, you had to bring up a tunneled PPP

subscriber to test configurations. Now you can issue the test services l2tp tunnel

command from CLI operation mode tomap a subscriber to an L2TP tunnel, verify the

L2TP tunnel configuration (both locally on the LAC and on a back-end server such as

a RADIUS server), and verify that L2TP tunnels from the LAC can be established with

the remote LNS.

The Junos OS LAC implementation enables you to configure multiple tunnels from

whichone tunnel is chosen for tunnelingaPPPsubscriber. Youcanuse the testservices

l2tp tunnel command to test all possible tunnel configurations to verify that each can

be established. Alternatively, you can test only a specific tunnel for the subscriber.

Youmust specify a configured subscriber username when you issue the command.

The test generates a dummypassword for the subscriber, or you can optionally specify

the password. The test verifieswhether the subscriber identified by that username can

be tunneled according to the tunnel configuration. If the subscriber can be tunneled,

then the testverifieswhether theL2TPtunnel canbeestablishedwith theLNSaccording

to the L2TP configuration.

You can optionally specify a tunnel ID, in which case only that tunnel is tested; the

tunnel must be already configured for that username. If you omit this option, the test

is applied to the full set of tunnel configurations that are returned for the username.

The tunnel ID you specify is the same as that used by Tunnel-Assignment-Id (RADIUS

attribute 82) and specified by the identification statement in the tunnel profile.

[Subscriber Access, System Basics and Services Command Reference]

• Parameterized filters and policers (MX Series routers)—This feature adds the abilityto configure firewall filters and policers under a dynamic profile. The filter and policer

definition can now utilize dynamic-profile variables, which allows you to customize

your configuration at session creation time. You can configure a general filter or policer

under a dynamic profile and then provide policing rates, destination addresses, ports,

and so forth when a dynamic session is activated. To support this feature, the

service-filter-hit-exceptmatchconditionhasbeenadded to the [edit firewall]hierarchy

level. Inaddition, the [editdynamic-profileprofile-name]hierarchy level isnowsupported

for the [edit firewall] hierarchy.

[Subscriber Access, Policy Framework]

• DTCP trigger attributes and SNMP objects for subscriber secure policy trafficmirroring (MX Series routers)—A subscriber secure policy traffic mirroring sessionstarts when the router, functioning as the intercept access point, receives a DTCPADD



message that contains a trigger attribute. In earlier releases, DTCP used the Interface

ID attribute to trigger traffic mirroring. Junos OS Release 11.4 introduces support for

additional DTCP attributes that trigger DTCP-initiated subscriber secure policy traffic

mirroring.

JunosOSRelease 11.4alsoprovidesadditionalSNMPtrapsupport for subscriber secure

policy, including SNMP objects to identify the subscriber and to track traffic statistics.

Table7onpage95shows theDTCPtriggerattributes, including thepreviously supported

Interface ID attribute. The attributes are listed in order of preference, from high to low.

If an ADDmessage contains multiple trigger attributes, the subscriber secure policy

uses the attribute with the highest preference and initiates the traffic mirroring

associated with that trigger attribute.

Table 7: DTCP Trigger Attributes

Description of Mirroring TriggerDTCPMessageSemantic

AttributeName

The text string of the accounting session IDassociated with the subscriber.

X-Act-Sess-IdAccountingSession ID

The text string of the calling station ID associatedwith the subscriber.

X-Call-Sta-IdCalling StationID

The IPV4 address associated with the interface forthe subscriber.

You can optionally include the X-Logical-SystemandX-Routing-Instanceattributeswith thisattribute.If neither is specified, the default logical systemandrouting instance are used.

X-IP-Addr-Unit

X-Logical-System(optional)

X-Routing-Instance(optional)

IP Address

The interface description string on which trafficmirroring is performed (for example, ge-0/0/0.1 ordemux0.107472834).

X-Interface-IdInterface ID

The text string of the NAS port ID associated withthe subscriber.

X-NAS-Port-IdNAS Port ID

The combination of the remote circuit ID and theremoteagent IDattributes,whichspecifies theDHCPOption 82 associated with the session.

X-RM-Circuit-Id

X-RM-Agent-Id

DHCP Option82

The text string of Agent Remote ID suboption forthe subscriber.

• Can be a trigger when used by itself.

• Can be used together with the Remote Circuit IDattribute to specify the DHCP Option 82 trigger.

X-RM-Agent-IdRemote AgentID



Table 7: DTCP Trigger Attributes (continued)

Description of Mirroring TriggerDTCPMessageSemantic

AttributeName

The user name for this subscriber.

You can optionally include the X-Logical-SystemandX-Routing-Instanceattributeswith thisattribute.If neither is specified, the default logical systemandrouting instance are used.

X-UserName

X-Logical-System(optional)

X-Routing-Instance(optional)

User Name

Table8onpage96shows thenewsubscriber secure policySNMPobjects and the trap

definitions for Junos OS Release 11.4.

Table 8: SNMP Trap Definitions

SNMP Trap DefinitionDescriptionNew SNMPObject

jnxJsPacketMirrorLiSubscriberLoggedIn

jnxJsPacketMirrorLiSubscriberServiceActivated

jnxJsPacketMirrorLiSubscriberLogInFailed

jnxJsPacketMirrorLiSubscriberServiceActivationFailed

Calling station ID of subscriberwhose traffic is being monitored.

jnxJsPacketMirrorCallingStationIdentifier



NAS ID of the router onwhich thetraffic is being monitored.

jnxJsPacketMirrorNasIdentifier

jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets of combinedIPv4 and IPv6 subscriber trafficreceived.

jnxJsPacketMirrorOctetsReceived

jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets of combinedIPv4 and IPv6 subscriber traffictransmitted.

jnxJsPacketMirrorOctetsTransmitted

[Subscriber Access]

• Serviceaccountingwith JSRC(M120andM320MultiserviceEdgeRouters,MXSeries3DUniversal Edge Routers)—When JSRC provisions subscriber services, you can now

also use JSRC to report accounting data for those services. You can choose service

activation/deactivationaccounting to report cumulative service session statisticswhen

a service is terminated, or interim accounting to report service session statistics at

specified intervals for the duration of the session.

When the SAE sends the Juniper-Policy-Install AVP (AVP code 2020) to specify a

service for JSRC to activate, JSRC initiates service activation/deactivation accounting

if that AVP also includes the Juniper-Acct-Collect AVP (AVP code 2054).

JSRC initiates interim accounting when the Juniper-Policy-Install AVP includes the

Acct-Interim-Interval AVP (AVP code 85). In this case, JSRC updates the accounting

values at the interval specified in the AVP— in the range 600 through 86,400 seconds.



JSRC and the SAE exchange Diameter Accounting-Request (ACR) and

Accounting-Answer (ACA)messages tocommunicateaccountingdata.Bothmessages

include the Juniper-Acct-Record AVP (AVP code 2053) to identify and confirm the

service for which accounting information is requested.

JSRC can provide an accounting only of volume statistics. Youmust employ either

classic firewall filters or fast update firewall filters to collect the accounting data. To

specify JSRC accounting, include the accounting-order activation-protocol statement

at the [editaccessprofile]hierarchy level; this is the sameaccessprofile that configures

JSRC service provisioning. Alternatively, you can configure the accounting reports to

be sent by RADIUS by including instead the accounting-order radius statement at the

[edit access profile] hierarchy level.

[Subscriber Access]

• Support forcontrolling the rateof flowofRADIUSmessages(M120,M320,MXSeriesrouters)—JunosOSRelease 11.4 supports limiting the flowofRADIUS requestsbetweenthe router and configured RADIUS servers. To specify the number of RADIUS requests

per second that the router can send, collectively, to all configured RADIUS servers,

include the request-rate configuration statement at the [access profile profile-name

radius options] hierarchy level. By default, the router can send up to 500 requests per

second to theRADIUSservers.Youcanspecifyavalue from500through4000requests

per second.

Junos OS Release 11.4 also enables you to limit the maximum number of outstanding

requests from the router to a RADIUS server. To specify the maximum number of

outstanding requests from the router to a RADIUS server, include the

max-outstanding-requests configuration statement at the [accessprofileprofile-name

radius server] or [profile profile-name radius server] hierarchy level. By default, a

RADIUS server can have up to 1000 outstanding RADIUS requests. You can specify a

value from 0 through 2000 outstanding requests.

To view the current RADIUS settings, as well as the effect of the new settings on

performance, use the show network-access aaa statistics radius operational mode

command.

user@host>show network-access aaa statistics radiusOutstanding RequestsRADIUS Server Profile Configured Current Peak Exceeded12.1.11.254 pppoe-auth 111 0 1 012.1.12.254 pppoe-auth-2 0 0 0 112.1.13.254 pppoe-auth-3 64 0 10 0

To clear the RADIUS statistics for the Peak and Exceeded columns, use the clear

network-access aaa statistics radius operational mode command.

[Subscriber Access]

• Triggering ANCPOAM loopback tests (MX Series 3D Universal Edge Routers)—Youcan trigger ANCP OAM to perform a loopback test on the local loop (between the

access node and the CPE), which can aid in simple fault isolation. When using an

ATM-based local loop, the ANCP operation can trigger the access node to generate



ATM (F4/F5) loopback cells on the local loop. For an Ethernet-based local loop, ANCP

operation can trigger the access node to generate an Ethernet loopback message on

the local loop. When the test is completed, the access node sends amessage to the

router with the results.

To initiate local loop testing, youmust identify a particular loop for the test. You can

issue the request ancp oam neighbor command from CLI operation mode and identify

theaccess loopbyspecifyinganANCPneighborby IPaddressor systemname; ineither

case youmust also specify the access identifier for a subscriber on that access node.

Alternatively, youcan issue the requestancpoaminterfacecommand fromCLIoperation

mode and identify the loop by specifying an ANCP interface or set of interfaces. With

either command, you can also specify howmany times the test must be run and how

long the router waits for a response to the OAM request.

[Subscriber Access]

• Mapping ANCP attributes to vendor-specific attributes (MX Series 3D UniversalEdge Routers)—You can now configure AAA to add the

Downstream-Calculated-QoS-Rate VSA (IANA 4874, 26-141) and the

Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142) to the RADIUS

authentication and accounting request messages for subscribers. By default, these

VSAs are not present in any RADIUSmessages. To add the VSAs, include the

juniper-dsl-attributes statement at the [edit access profile profile-name radius options]

hierarchy level.

AAA provides the default recommended transmit and receive speeds in these RADIUS

messages. The default values are configured with the advisory-options statement at

the [edit protocols ancp interfaces interface-name] hierarchy level. The transmit speed

is the recommended traffic value in bits per second used for downstream traffic for

an ANCP interface, and is conveyed in the Downstream-Calculated-QoS-Rate VSA

(IANA 4874, 26–141). The receive speed is the recommended traffic value in bits per

second used for upstream traffic for an ANCP interface, and is conveyed in the

Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142).

In contrast to the JuniperNetworksDSLVSAs, theDSLForum(RFC4679)VSA isadded

to RADIUSmessages by default. You can use the exclude dsl-forum-attributes

statement at the [edit access profile profile-name radius attributes] hierarchy level to

prevent theDSLForumVSAfrombeing included inaspecified typeofRADIUSmessage.

Similarly, you can use the exclude downstream-calculated-qos-rate and the exclude

upstream-calculated-qos-rate statements to prevent these Juniper Networks VSAs

from being included in a specified type of RADIUSmessage.

[Subscriber Access]

• Setting a recommended shaping rate for traffic on ANCP interfaces (MX Series 3DUniversal Edge Routers)—When the access node sends information about the

downstream and upstream calculated traffic rates for an interface, those values are

used to shape the traffic sent to the interface so that it matches the subscriber local

loop speed. You can now specify recommended values to be used in the event the

router does not receive this information from the access node. The configured

recommended values are used as the default values for two Juniper VSAs,

Downstream-Calculated-QoS-Rate (IANA 4874, 26-141) and



Upstream-Calculated-QoS-Rate (IANA 4874, 26-142). To set the recommended

shaping rate, include the advisory-options statement at the [edit protocols ancp

interfaces interface-name] hierarchy level and specify the downstream (transmit) or

upstream (receive) traffic rate in bits per second.

[Subscriber Access]

• Improving the accuracy of the data rate reported by ANCP (MX Series 3D UniversalEdge Routers)—When a DSLAM calculates the data rate on the subscriber local loop,

it ignores the additional headers on the DSL line that are associatedwith the overhead

of the access mode (ATM or Ethernet). However, when ANCP subsequently reports

the upstream data rate or the downstream data rate, it includes the headers in its

calculation and therefore reports a slightly higher value than that calculated by the

DSLAM. This discrepancy causes the CoS shaping rate to be slightly higher than the

actual rate.

You can configure an adjustment factor that applies a percentage value to the total

downstreamandupstreamdata rates reportedbyANCP.Theadjustment factorapplies

globally for all subscribers of a particular DSL line type. The adjusted data rate results

in amore accurate CoS shaping rate that is reported to CoS and to AAAwhenever AAA

requests the data rate from ANCP. To configure the adjustment factor, include the

adjustment-factor statement at the [edit protocols ancp] hierarchy level.

[Subscriber Access]

• HTTP redirect service plugin (MX Series 3D Universal Edge Routers)—This featureadds IPv6support forHTTP redirect.Whenyouusea remote IPv6HTTP redirect server,

you can now configure an HTTP service rule to rewrite the IPv6-DA of incoming HTTP

requests on the service router. This ensures that the requests reach the remote HTTP

redirect server before being redirected to a captive portal. When you use a local HTTP

redirect server, you can configure an HTTP service rule to redirect HTTP requests to a

captive portal within a walled garden.

[Subscriber Access]

• AVP service bundle and definition (MX Series 3D Universal Edge Routers)—Thisfeature adds the Juniper-Service-Bundle AVP (AVP code 2004), which is of type

OctetString, and defines a name of the service bundle.

[Subscriber Access]

• Support for configurable RADIUS account termination reasons—Junos OS Release11.4 supports configurable mapping of protocol-specific terminate reasons to the

RADIUS Acct-Terminate-Cause attribute.

NOTE: For a list of default termination reasons, see the Junos OS SpecialDocument for Release 11.4 M Series, MX Series, and T Series Routers.

When a AAA, DHCP, L2TP, or PPP session is terminated, protocol-specific terminate

reasons (if determined) are converted to a specific termination cause, as defined by

standard RADIUS attribute 49 (Acct-Terminate-Cause). This attribute is included in



RADIUS Acct-Stopmessages and is used to to monitor and troubleshoot terminated

user sessions.

Terminate reason usage statistics are accumulated on the router. You can use the

show network-access aaa terminate-code [reverse] [(aaa | dhcp | l2tp | ppp)] [(detail |

summary|brief)]commandtodisplay informationaboutmappingsbetweenapplication

terminate reasons and RADIUS Acct-Terminate-Cause attributes. You can also use

the clear network-access aaa statistics terminate-code command to clear all terminate

mapping statistics.

Junos OS Release 11.4 also supports the option to customize mappings between a

terminate reason and a RADIUS Acct-Terminate-Cause attribute, enabling you to

providedifferent informationabout thecauseofa termination. Toconfigure customized

mappingsbetweena terminate reasonandaRADIUSAcct-Terminate-Causeattribute,

include the terminate-code (aaa | dchp | l2tp | ppp) term-reason radius term-cause

statement at the [edit access] hierarchy level.

[Subscriber Access]

• RADIUSsupport for limitingmaximumnumberofconcurrentPPPoEsessions(M120,M320, andMXSeries routers)—Enables you to override the PPPoEmaximumsession

value (configuredwith themax-sessions statement)with thePPPoEmaximumsession

value returnedby theRADIUSserver in theMax-Clients-Per-Interface JuniperNetworks

vendor-specific attribute (VSA) [26-143]. This feature is useful if youwant todetermine

the PPPoE session limit on a per-subscriber basis.

The PPPoEmaximum session value specifies the maximum number of concurrent

static or dynamic PPPoE logical interfaces (sessions) that the router can activate on

the PPPoE underlying interface, or the maximum number of active static or dynamic

PPPoE sessions that the router can establishwith a particular service entry in a PPPoE

service name table.

In earlier releases, the PPPoEmaximum session value was determined on a

per-interface basis by the number of active PPPoE sessions configured in the CLI with

themax-sessions statement. In thecurrent release, thePPPoEmaximumsession value

is determined on a per-subscriber basis by the maximum session value returned by

RADIUS in the Max-Clients-Per-Interface VSA [26-143] during the subscriber

authentication process. The Max-Clients-Per-Interface VSA returns the PPPoE

maximumsessionvalue inAccess-Acceptmessages,butnot inChangeofAuthorization

Request (CoA-Request) messages.



The Max-Clients-Per-Interface VSA uses Juniper Networks vendor ID 4874, and is

defined as follows:

Dynamic CoASupportValueDescriptionAttribute Name

AttributeNumber

Nointeger: 4-octetMaximum allowable clientsessionsper interface. ForDHCPclients, this value is themaximum sessions per logicalinterface. ForPPPoEclients, thisvalue is the maximum sessions(PPPoE interfaces) per PPPoEunderlying interface.

Max-Clients-Per-Interface26-143

By default, the maximum session value returned by RADIUS in the

Max-Clients-Per-InterfaceVSAtakesprecedenceover theconfiguredPPPoEmaximum

session value; no special configuration is required on the router to use this feature.

To clear (ignore) the value returned by RADIUS in the Max-Clients-Per-Interface VSA

and restore thePPPoEmaximumsession valueon theunderlying interface to the value

configured in the CLI with themax-sessions statement, youmust include the new

max-sessions-vsa-ignore statement at any of the following hierarchy levels:

• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family

pppoe]


family pppoe]

• [edit interfaces interface-name unit logical-unit-number family pppoe]

• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]


logical-unit-number family pppoe]


logical-unit-number pppoe-underlying-options]

To display information about the maximum sessions configured on the PPPoE

underlying interface, use the showpppoe underlying-interfaces operational command.

[JunosOSSubscriberAccessConfigurationGuide, JunosOS InterfacesCommandReference,

Junos OS Ethernet Interfaces Configuration Guide]

• Support for in-lineL2TPLNS(MXSeries3DUniversalEdgeRouterswithMPCs)—MXSeries routers with Trio MPCs now support L2TP LNS functionality in addition to the

L2TP LAC functionality previously supported. In earlier releases, L2TP LNS support

wasavailableonlyoncertainMSeriesMultiserviceEdgeRoutersand requiredaseparate

service PIC. The newMX Series support means that the MPCs you are already using

for other applications can now be used to provide inline L2TP LNS services.




http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/swcmdref-interfaces/swcmdref-interfaces.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-network-interfaces/book-config-guide-network-interfaces-ethernet.pdf

To enable inline services on an MPC, include the inline-services statement at the [edit

chassis fpc slot-number pic number] hierarchy level. You can configure the amount of

bandwidth reserved on each Packet Forwarding Engine for tunnel traffic using inline

services with the bandwidth statement at any of the [edit chassis fpc slot-number pic

number inline-services] hierarchy level.

Inline services require that you configure a service interface—si—either statically at the

[edit interfaces] hierarchy level or with a dynamic profile.

Whenyouconfigure thepropertiesof theL2TPtunnelon theLNSwith the tunnel-group

statement at the [edit services l2tp] hierarchy level, you can include the new

aaa-access-profile statement to specify a local access profile that overrides the global

access profile for this tunnel group. You can also include the tos-reflect statement,

which causes the LNS to reflect the IP ToS value in the inner IP header to the outer IP

header.

Tomonitor LNS operations and configuration, you can issue the following existing

commandson theLNS: showservices l2tpdestination, showservices l2tpsession, show

services l2tp summary, show services l2tp tunnel, and show subscribers.

[Subscriber Access]

• Unique identifiers for firewall variables in dynamic profiles (MX Seriesrouters)—Enables the system to generate unique identifiers (UID) for parameterized

filters indynamicprofiles created for services. ThegeneratedUIDsenable you to identify

and configure separate parameter values for filters with the same variable name. In

addition, assigning a UID improves performance of the router.

For serviceprofiles, youcan request thegenerationofanUID forauser-definedvariable

by including the uid statement at the [edit dynamic-profiles profile-name variable

variable-name] hierarchy level. You then reference the variable name in the filter.

To enable selection of a particular filter in a dynamic profile that contains multiple

variables of the same parameter and criteria type, youmust indicate that the variable

refers to a UID. To configure, include the uid-reference statement at the [edit

dynamic-profiles profile-name variable variable-name] hierarchy level.

For example, if the variable $in-filter receives the value of “filter1” from RADIUS, the

filter definition named $filter is used.

[Subscriber Access]

• SNMP support for dual-stack subscriber secure policy traffic mirroring (MX Seriesrouters)—Subscriber secure policy traffic mirroring now provides dual-stack support

for DHCPandPPP subscribers. Dual-stack support enables the router to activate both

IPv4 and IPv6 traffic mirroring at different times. As part of the dual-stack

enhancements, JunosOSRelease 11.4 also includes a newSNMPobject to identify the

mirrored IPv6 traffic, and two existing SNMP objects that are modified to track IPv6

traffic statistics.

Table 9 on page 103 shows the new andmodified SNMP objects.



Table 9: SNMP Trap Definitions

SNMP Trap DefinitionDescriptionNew SNMPObject



jnxJsPacketMirrorLiSubscriberServiceDeactivated

jnxJsPacketMirrorLiSubscriberLogInFailed

jnxJsPacketMirrorLiSubscriberLoggedOut

jnxJsPacketMirrorLiSubscriberServiceActivationFailed

IPv6 address of themirroredinterface.

jnxJsPacketMirrorTargetIpv6Address

jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets ofcombined IPv4 and IPv6subscriber traffic received.

jnxJsPacketMirrorOctetsReceived

jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets ofcombined IPv4 and IPv6subscriber traffictransmitted.

jnxJsPacketMirrorOctetsTransmitted

[Subscriber Access]

• Support for static and dynamic CoS and firewall filters on L2TP inline LNS serviceinterfaces (MX Series routers)—Enables you to configure static and dynamic CoSparameters for PPP sessions terminated over L2TPnetwork server (LNS) tunnels. This

feature is supported on MX Series routers with MPC/MICmodules.

Inline services at the LNS require that you configure a service interface (si) at the [edit

interfaces] hierarchy level.

Whenaservice interface is configured for anL2TPLNSsession, it hasan inner IPheader

and an outer IP header. You can configure CoS for an LNS session that corresponds

to the inner IP header because the outer IP header is used for the L2TP tunnel

processing. However, we recommend that you configure the LNS to reflect the IP ToS

value in the inner IPheader to theouter IPheaderby including the tos-reflect statement

at the [edit services l2tp] hierarchy level.

To apply per-session CoS on egress traffic from the LAC, you can configure fixed and

behavior aggregate (BA) classifiers by including the classifiers statement at the [edit

class-of-service] hierarchy level. You can then apply the classifiers at the [edit

class-of-service interfaces si-fpc/port/pic unit logical-unit-number] hierarchy level or

at the [edit dynamic-profiles profile-name class-of-service interfaces

$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level. The following BA

classifier types are supported: inet-precedence, dscp, and dscp-ipv6.

To apply per-session CoS on ingress traffic to the LAC, you can configure rewrite rules,

hierarchical scheduling, and shaping adjustments. To define rewrite rules, include the

rewrite-rules statementat the [editclass-of-service]hierarchy level. Youcan thenapply

the rewrite rules at the [edit class-of-service interfaces si-fpc/port/pic unit

logical-unit-number] hierarchy level or at the [edit dynamic-profiles profile-name



class-of-service interfaces$junos-interface-ifd-nameunit$junos-interface-unit]hierarchy

level.

By default, the shaping calculation on the service interface includes the L2TP

encapsulation. If necessary, you can configure additional adjustments for downstream

ATM traffic from the LAC or differences in Layer 2 protocols. To enable hierarchical

scheduling for the service interface, include the hierarchical-scheduler statement at

the [edit interfaces si-fpc/port/pic ] hierarchy level. To enable Level 3 nodes in the LNS

scheduler hierarchy and provide better scaling, we recommend that you specify two

hierarchy levels by including themaximum-hierarchy-levels statement at the [edit

interfaces si-fpc/port/pic hierarchical-scheduler] hierarchy level.

To apply additional shaping adjustments for static LNS sessions, you can configure

theoverhead-accounting statement for the service interfaceat the [edit class-of-service

traffic-control-profiles profile-name] hierarchy level. For dynamic CoS, apply the

overhead-accounting statement for the service interface at the [edit dynamic-profiles

profile-name class-of-service traffic-control-profiles profile-name] hierarchy level.

You can then apply the traffic control profile to the service interface by including the

output-traffic-control-profile statement at the [edit class-of-service interfaces

si-fpc/port/pic unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles

profile-name class-of-service interfaces $junos-interface-ifd-name unit

$junos-interface-unit] hierarchy level. To limit bandwidth for tunneled sessions with

default CoS configurations, we recommend that you also configure CoS for remaining

traffic by including theoutput-traffic-control-profile-remaining statement for the static

interface.

[Subscriber Access, Class of Service]

• DHCPv6multiple address support (MX Series routers)—Subscriber managementnow supports the assignment ofmultiple address to a DHCPv6 client. DHCPv6 clients

can request both IA_NA and IA_PD addresses in a single DHCPv6Solicitmessage. This

feature provides support for networking environments in which a customer premises

equipment (CPE) device requires a host address and a delegated prefix.

DHCPv6multiple address support is enabled by default, and is activated when the

client DHCPv6 Solicit message contains both the IA_NA and IA_PD options. The

following list describes subscriber management enhancements to support multiple

address assignment:

• For dynamic profile support, you use the new Junos OS predefined variable,

$junos-subscriber-ipv6-multi-address. The variable is applied as a demux source

address array, and is expanded to include both the host and prefix addresses. You

include the$junos-subscriber-ipv6-multi-addressvariableat the [editdynamic-profile

profile-name interfaces interface-name unit logical-unit-number family inet6

demux-source] hierarchy level. You can use this variable in place of the existing

$junos-subscriber-ipv6-address variable, which only supports a single IPv6 address

or prefix.

• You can explicitly specify which address pool the router uses to assign the IA_PD

address. This enables you to identify the address pool without using RADIUS or a

network match. To specify which address pool you want to use to assign the IA_PD

address, include the delegated-pool statement at the [edit system services



dhcp-local-server dhcpv6 ... overrides] hierarchy levels. You can configure the

delegatedpool at theDHCPv6 local server global, group, or interfacehierarchy levels.

• The show dhcpv6 server binding and show subscriber commands now display

information related to the DHCPv6 IA_NA and IA_PDmultiple address assignments.

[Subscriber Access]

• Support for interface name in the authentication username—You can now include

the interface name as part of the DHCPv4 and DHCPv6 authentication username for

DHCP local server and DHCP relay agent. You can include the interface name globally

or for a specific group.

To configure the authentication interface name, include the interface-name statement

at the appropriate [edit ... authentication username-include] hierachy levels for DHCP

and DHCPv6 local server, and DHCP and DHCPv6 relay agent.

[Subscriber Access]

• Support for the calling station ID field in RADIUS packets—Starting Release 11.4,JunosOSsupports the calling station ID field inRADIUSauthenticationandaccounting

packets for sessions originating from SSH, Telnet, and FTP-based clients. The calling

station ID field contains the IP address of the host fromwhich a user connects to the

router.

Addition of the calling station ID information in the RADIUS authentication packets

enables you to configure the RADIUS server to authorize, track, and account users

based on the calling station ID information. The calling station ID field also enables

you to identify thegeographical locationsof thehost fromwhich theconnection request

originates.

[System Basics]

• Enhancements to tracing DHCP operations (M120 andM320Multiservice EdgeRouters, MX Series 3D Universal Edge Routers)—In earlier releases you configuredDHCP trace logging in only the default:default LS:RI combination; the configuration

was applied globally to all LS:RI instances. To apply DHCP trace operations to a

nondefault LS:RI combination, you were required to configure a DHCP application in

the default:default LS:RI combination.

Trace logging is now configured by default outside the scope of the DHCPapplications

(DHCP relay or DHCP local server). To apply a DHCP trace configuration across all

LS:RI combinations and all DHCP applications, include the traceoptions or

interface-traceoptions statement at the [edit systemprocessesdhcp-service]hierarchy

level.

NOTE: Configuration of event tracing on a per-LS:RI basis is still notsupported.

The existing statements at the [edit system services dhcp-local-server] and [edit

forwarding-options dhcp-relay] hierarchy levels have been deprecated and hidden in

favorof the statementsat thenew level in theCLI hierarchy. Thedeprecatedstatements



might be removed froma future release; we recommend that you transition to the new

statements.

Because a trace configuration can be configured inmore than one scope (two old and

deprecated, one new and recommended), the following rules apply to manage the

interaction:

• When you configure a filename or any other options for the trace log file, the

configuration at the [edit system processes dhcp-service] hierarchy level has the

highest precedence, followed by the configuration at the [edit system services

dhcp-local-server] hierarchy level, and finally with the lowest precedence, the

configuration at the [edit forwarding-options dhcp-relay] hierarchy level.

• The flag configuration for multiple scopes is merged and applied to all trace log

events.

• You can now filter the generation of DHCP trace log events by severity level: error,

warning, notice, info, verbose, and all. The default setting is error. However, if you

configure the old statements, trace logging operates with an implicit severity of all,

regardlessof theseverity level configuredat the [editsystemprocessesdhcp-service]

hierarchy level.



The following table lists previously available traceoptions flags that have been

deprecated and the corresponding flags that now provide the same functionality.

Replacement FlagDeprecated Flag

generaldhcpv6-general

iodhcpv6-io

packetdhcpv6-packet

packetdhcpv6-packet-option

rpddhcpv6-rpd

session-dbdhcpv6-session-db

statedhcpv6-state

packetpacket-option

Finally, the layout of trace log content has been enhanced to improve readability.

[Subscriber Access]

• Support for filter Enhanced Network Servicesmode (MX Series routers withMPCs)—JunosOSRelease 11.4 supports the limitingof static service filtersorAPI-clientfilters to term-based filter formatonly for inetor inet6 familieswhenEnhancedNetwork

Servicesmode is configuredat the [edit chassisnetwork-services]hierarchy level.When

used with one of the chassis Enhanced Network Services modes, firewall filters are

generated only in term-based format for use with MPCs.

To configure a firewall filter for use with Enhanced Network Services mode, include

the enhanced-mode statement at the [edit firewall family inet filter filter-name] or [edit

firewall family inet6 filter filter-name] hierarchy level.

[Subscriber Access]

• CoS enhancements for managing bandwidth for subscriber services (MX Seriesrouters withMPC/MIC interfaces)—Enables you to prioritize andmanage bandwidthfor services more effectively at different levels of the broadband edge network. These

enhancements are supported on MPC/MICmodules on MX Series routers.

By default, MPC/MIC interfaces support scheduling of excess bandwidth for both low-

and high-priority traffic. You can now specify the specific priority of the excess

bandwidth by including the excess-rate-high [proportional value | percent value]

statement or the excess-rate-low [ proportional value | percent value ] statement at

the [edit class-of-service traffic-class-profile profile-name] hierarchy level or the [edit

dynamic-profilesprofile-nameclass-of-servicetraffic-class-profileprofile-name]hierarchy

level. Note that when you configure the excess-rate statement for an interface, you

cannot also configure the excess-rate-low and excess-rate-high statements. We

recommend that you configure either a percentage or a proportion of the excess



bandwidth for all schedulers with the same parent in the hierarchy. For example, if you

configure interface 1.1 with 20% of the excess bandwidth, configure interface 1.2 with

80% of the excess bandwidth.

On MPC/MIC interfaces, you can configure shaping of aggregate traffic at a given

priority. By default, when traffic exceeds the shaping or guaranteed rates, the system

demotes trafficwithguaranteedpriority. Youcandisablepriority demotionby including

the none option with the excess-priority statement at the [edit class-of-service

schedulers scheduler-name] hierarchy level or the [edit dynamic-profiles profile-name

class-of-service schedulers scheduler-name] hierarchy level. Traffic that exceeds the

shaping rate is dropped.

You can now configure a burst size for the shaping rate and guaranteed rate at the

traffic control profile level, as well as for the shaping rate at the scheduler level. The

burst value determines the number of rate credits that can accrue when the queue or

scheduler node is held in the inactive round robin. This feature is useful to prevent

excessive buffering at downstream DSLAMs, which typically have limited QoS and

buffering capabilities. Include the burst-size option with the shaping-rate or

guaranteed-rate statement at the [edit class-of-service traffic-control-profile

profile-name]hierarchy level or the [editdynamic-profilesprofile-nameclass-of-service

traffic-control-profile profile-name] hierarchy level. You can also include the burst-size

option with the shaping rate at the [edit class-of-service schedulers scheduler-name]

hierarchy level or the [edit dynamic-profiles profile-name class-of-service schedulers

scheduler-name] hierarchy level.

In addition, you can now configure an excess ratewhen no guaranteed rate is specified

for a scheduler hierarchy without receiving a commit error.


• Support forautomatic removalof subscriberVLANs—JunosOSRelease 11.4 supportsthe automatic removal of subscriber VLANs when no client sessions (for example,

DHCP or PPPoE) exist on the VLAN. Before Junos OS Release 11.4, you were only able

to clear or delete subscriber VLANsmanually.

To automatically remove unused dynamic subscriber VLANS, include the

remove-when-no-subscribers statement at the [edit interfaces interface-name

auto-configure] hierarchy level.

NOTE: Themaintain-subscriberstatementand remove-when-no-subscribers

statement aremutually exclusive. You cannot specify that dynamicallyconfigured VLAN interfaces are removed when no subscribers exist whenthe router is also configured tomaintain subscribers.

Whenconfiguringautomatic removal ofdynamic subscriberVLANs, keep the following

in mind:

• You can configure automatic VLAN removal only on individual physical interfaces.

You cannot configure the feature globally.

• Automatic VLAN removal is not supported for use on Layer 2Wholesale interfaces.



• PPPoE subscriber interfaces require the use of dynamic profiles when configured

over dynamic VLANS. However, dynamic profiles are not required for usewith DHCP

subscriber interfaces that use underlying dynamic VLANs. Because the

remove-when-no-subscribers functionality triggerswhennodynamicclient sessions

exist on a dynamic VLAN, automatic removal of underlying dynamic VLANs is not

supportedwhen DHCP subscriber interfaces are not created using dynamic profiles.

[Subscriber Access, Network Interfaces]

• Support foraddresspool thresholdtraps(MXSeries3DUniversalEdgeRouters)—Youcan now set usage threshold traps to give advanced warning that an address pool is

running short on available addresses. To configure address pool usage threshold traps,

include the abatedUtilization utilization-value, abatedUtilization-v6 utilization-value,

higuUtilization percentage, and highUtilization-v6 percentage statements at the [edit

access address-assignment] hierarchy level.

[Subscriber Access]

• Using access profiles tomanage NAS port information (MX Seriesrouters)—Subscribermanagementusesdefault settingsandvaluesspecified inRADIUSto identify the NAS port used for subscriber authentication. The NAS-Port-Id (RADIUS

attribute 87) and NAS-Port-Type (RADIUS attribute 61) provide the NAS port

identification and type information.

You canoptionally configure access profiles to provide alternate values for theRADIUS

NAS-Port-Id and NAS-Port-Type attributes. This enables you to use access profiles

to specify the NAS port that is used for a given connection. For example, youmight

configure an access profile that specifies that a NAS port type ofwireless is used for

all Ethernet connections that are managed by that access profile.

To configure an optional NAS-Port-Id, use the nas-port-id-format statement at the

[editaccessprofileprofile-name radiusoptions]hierarchy level. TheoptionalNAS-Port-Id

can include any combination of theNAS identifier, the Agent Circuit ID (ACI), the Agent

Remote ID (ARI), and the interface description.

To configure an optional NAS-Port-Type, use the nas-port-type statement at the [edit

accessprofileprofile-name radiusoptions]hierarchy level. Theoptional port typevalues

are specified in RFC 2865 and are also described in the Junos OS Subscriber Access

Configuration Guide.

[Subscriber Access]

System Logging

• New and deprecated system log tags—The following set of system logmessages are

new in this release:

• ANALYZER—This chapter describes messages with the ANALYZER prefix on the

Juniper Networks EX Series switches. They are generated by the sample process

(sampled), which gathers information onmirrored traffic analysis for EX Series

switches.

• FABOAMD—This chapter describes messages with the FABOAMD prefix on the

Juniper Networks QFabric QFX3000 switch. They are generated by the QFabric



switch Operations, Administration, and Maintenance (OAM) process (faboamd),

which enables OAM operations (such as a fabric ping) across different devices in

the QFabric switch.

The following system logmessages are new in this release:

• ANALYZER_INPUT_INTERFACES_LIMIT

• APPIDD_APPPACK_INSTALL_RESULT

• APPIDD_INTERNAL_ERROR

• APPTRACK_SESSION_APP_UPDATE_LS

• APPTRACK_SESSION_CLOSE_LS

• APPTRACK_SESSION_CREATE_LS

• APPTRACK_SESSION_VOL_UPDATE_LS

• ASP_NAT_PORT_BLOCK_ALLOC

• ASP_NAT_PORT_BLOCK_RELEASE

• CHASSISD_ACQUIRE_MASTERSHIP

• CHASSISD_FM_ACTION_FPC_OFFLINE

• CHASSISD_FM_ACTION_FPC_ONLINE

• CHASSISD_FM_ACTION_FPC_POWER_OFF

• CHASSISD_FM_ACTION_FPC_RESTART

• CHASSISD_FM_ACTION_PLANE_OFFLINE

• CHASSISD_FM_ACTION_PLANE_ONLINE

• CHASSISD_FM_DETECT_PLANES_DOWN

• CHASSISD_FM_DETECT_UNREACHABLE

• CHASSISD_VCHASSIS_LICENSE_ERROR

• DCBX_PFC_DISABLED

• DCBX_PFC_ENABLED

• DCD_PARSE_WARN_INCOMPATIBLE_CFG

• ESWD_LEARNT_FDB_MEMORY_ERROR

• ESWD_OUT_OF_LOW_MEMORY

• ESWD_STATIC_FDB_MEMORY_WARNING

• ESWD_VLAN_MAC_LIMIT_EXCEEDED



• EVENTD_SECURITY_LOG_CLEAR

• FABOAMD_DEBUGGING

• FABOAMD_TASK_SOCK_ERR

• FLOW_HIGH_WATERMARK_TRIGGERED_LS

• FLOW_IP_ACTION_LS

• FLOW_LOW_WATERMARK_TRIGGERED_LS

• FWAUTH_FTP_LONG_PASSWORD_LS

• FWAUTH_FTP_LONG_USERNAME_LS

• FWAUTH_FTP_USER_AUTH_ACCEPTED_LS

• FWAUTH_FTP_USER_AUTH_FAIL_LS

• FWAUTH_HTTP_USER_AUTH_FAIL_LS

• FWAUTH_HTTP_USER_AUTH_OK_LS

• FWAUTH_TELNET_LONG_PASSWORD_LS

• FWAUTH_TELNET_LONG_USERNAME_LS

• FWAUTH_TELNET_USER_AUTH_FAIL_LS

• FWAUTH_TELNET_USER_AUTH_OK_LS

• FWAUTH_WEBAUTH_FAIL_LS

• FWAUTH_WEBAUTH_SUCCESS_LS

• IDP_APPDDOS_APP_ATTACK_EVENT_LS

• IDP_APPDDOS_APP_STATE_EVENT_LS

• IDP_ATTACK_LOG_EVENT_LS

• IDP_SESSION_LOG_EVENT_LS

• JSRPD_SET_HW_MON_FAILURE

• JSRPD_SET_LOOPBACK_MON_FAILURE

• JSRPD_SET_MBUF_MON_FAILURE

• JSRPD_SET_NEXTHOP_MON_FAILURE

• JSRPD_UNSET_HW_MON_FAILURE

• JSRPD_UNSET_LOOPBACK_MON_FAILURE

• JSRPD_UNSET_MBUF_MON_FAILURE



• JSRPD_UNSET_NEXTHOP_MON_FAILURE

• L2ALD_FREE_MAC_FAILED

• LACPD_TIMEOUT

• LICENSE_SHM_ATTACH_FAILURE

• LICENSE_SHM_CREATE_FAILURE

• LICENSE_SHM_DETACH_FAILURE

• LICENSE_SHM_FILE_OPEN_FAILURE

• LICENSE_SHM_KEY_CREATE_FAILURE

• LICENSE_SHM_SCALE_READ_FAILURE

• LICENSE_SHM_SCALE_UPDATE_FAILURE

• LSYSD_CFG_RD_FAILED

• LSYSD_INIT_FAILED

• LSYSD_SEC_NODE_COMP_SYNC_FAILED

• PKID_AFTER_KEY_GEN_SELF_TEST

• PKID_CORRUPT_CERT

• PKID_FIPS_KAT_SUCCESS

• PKID_PV_OBJECT_READ

• RPD_MPLS_REQ_BW_NOT_AVAILABLE

• RPD_PTHREAD_CREATE

• RPD_RSVP_INCORRECT_FLOWSPEC

• RPD_RT_CFG_EIBGP_VTL_CONFLICT

• RT_FLOW_SESSION_CLOSE_LS

• RT_FLOW_SESSION_CREATE_LS

• RT_FLOW_SESSION_DENY_LS

• RT_SCREEN_ICMP_LS

• RT_SCREEN_IP_LS

• RT_SCREEN_SESSION_LIMIT_LS

• RT_SCREEN_TCP_DST_IP_LS

• RT_SCREEN_TCP_LS



• RT_SCREEN_TCP_SRC_IP_LS

• RT_SCREEN_UDP_LS

• RTLOG_UTP_TCP_SYN_FLOOD_LS

• SYSTEM_ABNORMAL_SHUTDOWN

• UI_AUTH_BAD_LOCATION

• UI_AUTH_BAD_TIME

• UI_CLASS_MODIFIED_USERS

• UI_CLI_IDLE_TIMEOUT

• UI_COND_GROUPS

• UI_COND_GROUPS_COMMIT

• UI_COND_GROUPS_COMMIT_ABORT

• UTMD_MAILNOTIFIER_FAILURE

• WEBFILTER_URL_REDIRECTED

The following system logmessages are no longer documented, either because they

indicate internal software errors that are not caused by configuration problems or

because they are no longer generated. If these messages appear in your log, contact

your technical support representative for assistance:

• AV_HUGE_FILE_DROPPED_MT

• AV_HUGE_FILE_NOT_SCANNED_MT

• AV_MANY_MSGS_DROPPED_MT

• AV_MANY_MSGS_NOT_SCANNED_MT

• AV_SCANNER_DROP_FILE_MT

• AV_SCANNER_ERROR_SKIPPED_MT

• AV_VIRUS_DETECTED_MT

• CHASSISD_FM_FABRIC_DOWN

• CHASSISD_FPC_FABRIC_DOWN_REBOOT

• DCD_PARSE_ERR_INCOMPATIBLE_CFG

• JSRPD_SET_IP_MON_FAILURE

• JSRPD_UNSET_IP_MON_FAILURE

• KMD_DPD_IKE_SERVER_NOT_FOUND



• KMD_DPD_INVALID_ADDRESS

• KMD_DPD_INVALID_SEQUENCE_NUMBER

• KMD_DPD_NO_LOCAL_ADDRESS

• KMD_DPD_REMOTE_PEER_NOT_FOUND

• KMD_DPD_UNEXPECTED_IKE_STATUS

• KMD_PM_AUTH_ALGORITHM_INVALID

• KMD_PM_DYNAMIC_SA_INSTALL_FAILED

• KMD_PM_ENCRYPTION_INVALID

• KMD_PM_IKE_SRV_NOT_FOUND_CREATE

• KMD_PM_KEY_NOT_SUPPORTED

• KMD_PM_LIFETIME_DUPLICATE

• KMD_PM_LIFETIME_LENGTH_UNEQUA

• KMD_PM_LIFETIME_NO_DURATION

• KMD_PM_LIFETIME_TYPE_UNDEFINED

• KMD_PM_LIFETIME_UNITS_INVALID

• KMD_PM_NEW_GROUP_UNSUPPORTED

• KMD_PM_PHASE1_GROUP_UNREADABLE

• KMD_PM_PHASE1_IKE_SRV_NOT_FOUND

• KMD_PM_PHASE1_NO_IDENTITIES

• KMD_PM_PHASE1_NO_SPD_HANDLER

• KMD_PM_PHASE1_POLICY_LOOKUP_FAIL

• KMD_PM_PHASE1_POLICY_NOT_FOUND

• KMD_PM_PHASE1_PROTO_INVALID

• KMD_PM_PHASE1_PROTO_NOT_ISAKMP

• KMD_PM_PHASE1_PROTO_TWICE

• KMD_PM_PHASE1_TXFORM_INCOMPLETE

• KMD_PM_PHASE1_TXFORM_INVALID

• KMD_PM_PHASE2_IDENTITY_MISMATCH

• KMD_PM_PHASE2_NOTIF_UNKNOWN



• KMD_PM_PHASE2_SELECTOR_UNDEFINED

• KMD_PM_PROPOSAL_NO_AUTH

• KMD_PM_PROPOSAL_NO_ENCRYPTION

• KMD_PM_PROPOSAL_NO_KEY_LENGTH

• KMD_PM_PROPOSAL_NULL_ESP

• KMD_PM_PROPOSAL_PROTOCOL_INVALID

• KMD_PM_PROTO_NOT_NEGOTIATED

• KMD_PM_REMOTE_PEER_INVALID

• KMD_PM_SA_DELETE_REJECT

• KMD_SNMP_IKE_SERVER_NOT_FOUND

• KMD_VPN_PV_KEY_EXCHG

• RT_GTP_BAD_LICENSE

• RT_GTP_DEL_TUNNEL_V0

• RT_GTP_DEL_TUNNEL_V1

• RT_GTP_SANITY_EXTENSION_HEADER

• RT_SIP_MEM_ALLOC_FAILED

• SSH_FIPS_SELFTEST_EXECUTED

• SSH_KEYGEN_SELFTEST_DSA

• SSH_KEYGEN_SELFTEST_RSA

• SSH_MSG_REPLAY_DETECT

• SSHD_FIPS_SELFTEST_EXECUTED

• VSYSD_INIT_FAILED

• Support for forwarding structured system logmessages to remote system logserver—The structured-data configuration statement is added at the [edit systemsyslog host] hierarchy level to enable the forwarding of system logmessages in a

structured format to a remote system log server. This statement configures the eventd

process to forward system logmessages in the IETF format, which allows

vendor-specific extensions to be included in the message in a structured way. The

system logmessages can be received on a centralized server that is capable of

accepting structuredmessages.

By default, the eventd process forwards the entire message to the remote system log

server, whenmessage forwarding is enabled. The eventd process can be enabled to



send only part of the message (strip the free-form text message). This configuration

can be set by using the brief option provided for the structured-data statement.

[System Basics]

• Support for configuringsystemlog file rotation frequency—The log-rotate-frequency

configuration statement is added at the [edit systemsyslog] hierarchy to configure the

system log file rotation frequency. The log rotation frequency is altered by configuring

the time interval atwhich the log file size is checked.When the log file size hasexceeded

the configured limit, the old log file is archived and a new log file is created. The default

log rotation frequency is 15 minutes and it can be configured for any value between 1

minute through 59minutes.

Currently, the cron process schedules the newsyslog process every 15minutes and this

value cannot be changed by administrators. If logging to log files takes place at a very

rapid rate, log files can grow in size much beyond their actual configured limit before

the newsyslog process can be scheduled to rotate the files. The log-rotate-frequency

configuration statement helps to overcome this limitation.

[System Basics]

• System logging for logical systems (M Series, MX Series, and T Series routers)—Toconfigure, include the syslog statementat the [edit logical-systems logical-system-name

system] hierarchy level. To view the system log, run the show log

logical-system-name/file-name command.

[Logical Systems]

User Interface and Configuration

• Support for the confirmed option with the commit command in the edit privatemode—In Junos OS Release 11.4 and later, you can also use the commit confirmed

command in the [edit private] configuration mode.

[CLI User Guide]

• Support for configuringaproxyserver fordownloading licenses—In JunosOSRelease11.4 and later, you can download Juniper Networks license updates using a proxy server.

In earlier releases, downloading licenseupdateswasonlypossiblebydirectly connecting

to the Juniper Networks LicenseManagement System. In an enterprise, theremight be

devices in a private network that might be restricted from connecting to the Internet

directly for security reasons.

In such scenarios, you can configure a proxy server in the private network to connect

to the LMS and downloads the license updates and have the routers or devices in the

privatenetworkconnect to theproxy server todownload the licensesor licenseupdates.

To enable this feature, configure the device with details of the proxy server at the [edit

system proxy] hierarchy level.

[System Basics]



VPNs

• NTPsupport for IPv6VRF—In JunosOSRelease 11.4 and later, NTPalso supports IPv6VPN routing and forwarding (VRF) requests in addition to IPv4 VRF requests. This

enables an NTP server running on a provider edge (PE) router to respond to NTP

requests from a customer edge (CE) router. As a result, a PE router can process any

NTP request packet coming from different routing instances.

[System Basics]

• Extended Y.1731 functionality on VPLS for frame-delay and delay-variation (MXSeries routers with MPC interfaces)—MX Series routers with Modular PortConcentrators (MPCs) support Y.1731 functionality on VPLS for frame delay and delay

variation.

[VPNs, Line Card Guide]

• Extends egress protection LSP support and interoperability betweenMX SeriesDPCs andMPC/MIC interfaces (MX240, MX480, andMX960 routers)—An egressprotection LSP addresses the problemwhen a link failure occurs at the edge of the

network (for example, a link failure between a PE router and a CE device). An egress

protection LSP is anRSVP-signaled ultimate hoppopping LSP. Egress protection LSPs

do not address the problem of a node failure at the edge of the network (for example,

a failure of aPE router). StartingwithRelease 11.4, JunosOSextends support for egress

protection LSP to MPC/MIC interfaces. Egress protection LSP can now interoperate

between MX Series DPCs and MPC/MIC interfaces when both types are present on

the sameMX Series router. In previous Junos OS releases, this feature was supported

only on DPCs in MX Series routers.

[VPNs]


Changes in Default Behavior and Syntax, and for Future Releases in Junos OS Release

11.4 for M Series, MX Series, and T Series Routers

•

• Issues in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers

• ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,MXSeries,

and T Series Routers on page 117

• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forMSeries,MXSeries,

and T Series Routers

Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and TSeries Routers

Errata

The Junos OS Documentation for M, MX, and T Series Routers documentation index page

correctly points to the Junos 11.2 version. The Junos OS Release 11.4 version of this page

will release in a later phase of Junos OS Release 11.4.


Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/product/m-t-mx/11.2/index.html

High Availability

• TXMatrix Plus routers andT1600 routers that are configuredaspart of a routingmatrix

do not currently support nonstop active routing.

[High Availability]

Interfaces and Chassis

• The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces

Configuration Guide states that one way to configure an ATM II interface to enable a

Layer 2 circuit connection across all versions of Junos OS is the following:

• For Layer 2 circuit cell relay and Layer 2 trunk modes, the atm-l2circuit-mode cell

statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation

atm-ccc-cell-relay statement at the [edit interface interface-name] hierarchy level.

The configuration above is correct and interoperates with routers running all versions

of Junos OS.

However, the chapter does not mention that you can also include the encapsulation

atm-ccc-cell-relay statement at the [edit interface interface-name unit

logical-unit-number]hierarchy level.Whenyouuse this configuration, keep the following

points in mind:

• This configuration interoperates between Juniper Networks routers running Junos

OS Release 8.2 or earlier.

• This configuration does not interoperate with other network equipment, including a

Juniper Networks router running Junos OS Release 8.3 or later.

• For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate

with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the

router running Junos OS Release 8.3 or later, include the use-null-cw statement at

the [edit interfaces interface-name atm-options] hierarchy level.

• The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic)

an extra null control word in the MPLS packet.

• The use-null-cw statement is not supported on a router running Junos OS Release

8.2 or earlier.

[ATM Interfaces]

• With Junos OS Release 10.1 and later, you need not include the tunnel option or the

clear-dont-fragment-bit statementwhen configuring allow-fragmentation on a tunnel.


• The 10.3 through 11.1 Network Interfaces Configuration Guides and the 11.2 Ethernet

Interfaces Configuration Guide require the following corrections:

• A new fifth bullet was added to the "802.3 link aggregation" bullet list, as follows:

Multiple Juniper Networks Type 4, 100-Gigabit Ethernet PICs on a T1600 router can

be combined into a static aggregated Ethernet bundle to connect to a different type



of 100 gigabit Ethernet PIC on a remote router, from Juniper Networks or other

vendors. LACP is not supported in this configuration.

• The "Ingress traffic performance" bullet was revised and now reads as follows:

Ingress traffic performance—Maximum ingress throughput is 100gigabitsper second

on the physical interface, with 50 gigabits per second on the two assigned logical

interfaces. To achieve 100 gigabits per second ingress traffic performance, use one

of the interoperability modes described below. For example, if VLAN steering mode

is not used when connecting to a remote 100 gigabits per second interface (that is

on a different 100 gigabits per secondPIC on a Juniper Networks router or a different

vendor’s equipment), then all ingress traffic will try to use one of the 50 gigabits per

second Packet Forwarding Engines, rather than be distributed among the two 50

gigabits per second Packet Forwarding Engines, resulting in a total of 50 gigabits

per second ingress performance.

[Network Interfaces, Ethernet Interfaces]

J-Web Interface

• To access the J-Web interface, your management device requires the following

software:

• Supportedbrowsers—Microsoft InternetExplorer version 7.0orMozilla Firefox version

3.0

• Language support—English-version browsers

• Supported OS—Microsoft Windows XP Service Pack 3

Layer 2 Ethernet Services

• In the Layer 2 Configuration Guide, the examples provided in the sections, Configuring

Layer 2 Protocol Tunneling, Configuring BPDU Protection on Individual Interfaces, and

Configuring BPDU Protection on All Edge Ports are incorrect for configuring layer 2

tunneling with routing instances.

Multicast

• The listings for the following RFCs incorrectly state that Junos OS supports only SSM

includemode.Both includemodeandexcludemodeare supported in JunosOSRelease

9.3 and later.

• RFC 3376, Internet Group Management Protocol, Version 3

• RFC3590,SourceAddressSelection for theMulticast ListenerDiscovery (MLD)Protocol

[Hierarchy and Standards Reference]

Routing Policy and Firewall Filters

• The DDoS Protection Operational Mode Commands in the Junos OS System Basics and

Services Command Reference Guide incorrectly cites the Junos OS System Basics

Configuration Guide for related configuration information. This information is actually

available in the Junos OS DDoS Protection Configuration Guide.



[System Basics Command Reference]

• The protocols (DDoS) configuration statement topic and the show ddos-protection

protocolscommand topic erroneously list firewall-rejectasanavailableprotocol group.

The correct name for this protocol group in the CLI is reject. The protocol group is now

correctly described as Packets rejected by a next-hop forwarding decision.

[DDoS Protection]

Services Applications

• The clear services l2tp session statistics and clear services l2tp tunnel statistics topics

in the System Basics and Services Command Reference Guide for Junos OS Release

10.4 through 11.4 erroneously state that these commands are supported on MX Series

routers. In fact, this support will be added in a future release.

[System Basics and Services Command Reference]

• The rate statement for packet sampling is now configured at the [edit forwarding

options sampling input family family] hierarchy level.


Subscriber Access Management

• In the Configuring Per-Subscriber Session Accounting topic in the Subscriber Access

Configuration Guide, the behavior of the update-interval statement incorrectly states

that an interval of 10 through 15 minutes are rounded up to 15. The actual behavior is

that all configured values are roundedup to thenext highermultiple of 10. For example,

the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820.

[Subscriber Access]

• TheDHCP inBroadbandNetworks topic erroneously states that the JunosOSsubscriber

management solution currently supports only DHCPas amultiple-client configuration

protocol. However, subscriber management solutions support DHCP and PPPoE as

multiple-client configuration protocols.

[Broadband Subscriber Management Solutions]

• The Configuring Service Packet Counting topic in the Junos OS Subscriber Access

Configuration Guide does not include the following configuration guideline. When you

specify the service-accounting action for the term, you cannot additionally configure

the count action in the same term.

[Subscriber Access]

• The table titled Supported Juniper Networks VSAs in the Juniper Networks VSAs

Supported by the AAA Service Framework topic lists RADIUS VSA 26-157

(IPv6-NdRa-Pool-Name). This VSA is not supported and should not appear in the

table.

[Subscriber Access]

• The Configuring a Dynamic Profile for Client Access topic erroneously uses the

$junos-underlying-interface variable when an IGMP interface is configured in the client



access dynamic profile. The following example provides the appropriate use of the

$junos-interface-name variable:

[edit dynamic-profiles access-profile]user@host# set protocols igmp interface $junos-interface-name

• Table 25 in the Dynamic Variables Overview topic does not define the

$junos-igmp-version predefined dynamic variable. This variable is defined as follows:

$junos-igmp-version—IGMP version configured in a client access profile. Junos OS

obtains this information fromtheRADIUSserverwhenasubscriber accesses the router.

The version is applied to the accessing subscriber when the profile is instantiated. You

specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy

level for the interface statement.

In addition, the Subscriber Access Configuration Guide erroneously specifies the use of

a colon (:)when you configure the dynamic profile to define the IGMP version for client

interfaces. The following example provides the appropriate syntax for setting the IGMP

interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]user@host# set version $junos-igmp-version

• The Subscriber Access Configuration Guide and the System Basics Configuration Guide

contain information about the override-nas-information statement. This statement

does not appear in the CLI and is not supported.

[Subscriber Access, System Basics]

• When youmodify dynamic CoS parameters with a RADIUS change of authorization

(CoA)message, Junos OS accepts invalid configurations. For example, if you specify

a transmit rate that exceeds the allowed 100 percent, the system does not reject the

configuration and returns unexpected shaping behavior.

[Subscriber Access]

• Juniper Networks does not supportmulticast RIFmapping andANCPwhen configured

simultaneously on the same logical interface. For example, configuring amulticast

VLAN and ANCP on the same logical interface is not supported, and the subscriber

VLANs are the same for both ANCP andmulticast.

[Subscriber Access]

• TheGuidelines for ConfiguringDynamicCoS for Subscriber Access topic in theSubscriber

Access Configuration Guide erroneously states that dynamic CoS is supported for

dynamic VLANs on the Trio MPC/MIC family of products. In Junos OS Release 11.1,

dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.

[Subscriber Access]

• TheSubscriberAccessConfigurationGuide incorrectlydescribes theauthentication-order

statement as it is used for subscriber access management. When configuring the

authentication-order statement for subscriber access management, youmust always

specify the radiusmethod. Subscriber access management does not support the

password keyword (the default), and authentication fails when you do not specify an

authentication method.



[Subscriber Access]

• In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by

the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table

incorrectly describe VSA 26-59. The correct description is as follows:

DescriptionAttribute NameAttribute Number

Identifier that associates mirrored traffic to a specificsubscriber.

Med-Dev-Handle26-59

[Subscriber Access]

• In the Subscriber Access Configuration Guide, the table titled "Supported Juniper

Networks VSAs" in the "Juniper Networks VSAs Supported by the AAA Service

Framework" topic lists RADIUS VSA 26-42 (Input-Gigapackets) and VSA 26-43

(Output-Gigapackets). These two VSAs are not supported.

[Subscriber Access]

• In the Junos OS Subscriber Access Configuration Guide, the "Qualifications for Change of

Authorization" section in the topic titled “RADIUS-initiated Change of Authorization

(CoA) Overview”, has been rewritten as follows to clarify how CoA uses the RADIUS

attributes and VSAs.




Qualifications for Change of Authorization

To complete the change of authorization for a user, you specify identification

attributesandsessionattributes. The identificationattributes identify the subscriber.

Session attributes specify the operation (activation or deactivation) to perform on

the subscriber’s session and also include any client attributes for the session (for

example, QoS attributes). The AAAService Framework handles the actual request.

Table 10 on page 123 shows the identification attributes for CoA operations.

NOTE: Using the Acct-Session-ID attribute to identify the subscribersession is more explicit than using the User-Name attribute. When youuse the Acct-Session-ID, the attribute identifies the specific subscriberand session. When you use the User-Name as the identifier, the CoAoperation is applied to the first session that was logged in with thespecifiedusername.However, becauseasubscribermighthavemultiplesessions associated with the same username, the first sessionmightnot be the correct session for the CoA operation.

Table 10: Identification Attributes

DescriptionAttribute

Subscriber username.User-Name [RADIUS attribute 1]

Specific subscriber and session.Acct-Session-ID [RADIUS attribute 44]

Table 11 onpage 123 shows the session attributes for CoAoperations. Any additional

client attributes that you include depend on your particular session requirements.

Table 11: Session Attributes

DescriptionAttribute

Service to activate for the subscriber.Activate-Service [Juniper Networks VSA 26–65]

Service to deactivate for the subscriber.Deactivate-Service [Juniper Networks VSA26–66]

[Subscriber Access]



System Logging

• The Junos OS Release 11.2 System Log Error Messages Reference Guide does not list

the following newmessage that is now recorded in the system log, when the RSVP

fails to reserve the requested bandwidth for a label-switched path (LSP):

RPD_MPLS_REQ_BW_NOT_AVAILABLE

System Log Message: RSVP failed to set up path with the requested bandwidth on

LSP lsp-name

Description: After a successful CSPF computation, network conditions changed and

RSVP failed to set up path with the requested bandwidth and resulted in a path error.

The LSP did not come up if it happened during initial LSP establishment. Otherwise,

during an optimization or automatic bandwidth adjustment, the LSP continued to stay

up on the old path and used the previous amount of bandwidth.

Type: Event: This message reports an event, not an error

Severity: warning

Facility: LOG_DAEMON

Action: This condition ariseswhen the requested bandwidth is not available. No action

required in general, but if the LSP does not get established at the first place, youmay

want to re-optimize theLSP, change theLSPbandwidthconfiguration, oraddadditional

hardware to increase the available bandwidth.

[System Log Error Messages Reference]

User Interface and Configuration

• The show system statistics bridge command displays system statistics on MX Series

routers.

[System Basics Command Reference]

VPNs

• Junos OS Release 11.2 and earlier do not support point-to-multipoint LSPs with

next-generation multicast VPNs on MX80 routers.

[VPNs]

• InChapter 19, ConfiguringVPLSof theVPNsConfigurationGuide, an incorrect statement

that caused contradictory information about which platforms support LDP BGP

interworking has been removed. The M7i router was also omitted from the list of

supported platforms. The M7i router does support LDP BGP interworking.

[VPNs]



Changes to the Junos OS Documentation Set

The following are the changes made to the Junos OS documentation set:

• A new solutions guide, Next-Generation Network Addressing CGN and IPv6 Solutions,

is available in PDF format starting in Junos OS Release 11.4B1. Full documentation will

be posted in 11.4R1. The book provides consolidated and updated information on how

to use Carrier-Grade NAT (CGN) and related IPv6 transition technologies, including

Dual-Stack Lite (DS-Lite), 6rd, and 6to4 Provider-Managed Tunnels (PMT).

• The Junos OS DDoS Protection Configuration Guide is now available at the following

URL:

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/

config-guide-ddos/ddos-protection.html.

• Stateless firewall filter and traffic policer documentation is no longer included in the

Junos OS Policy Framework Configuration Guide. This material is now available in the

Junos OS Firewall Filter and Policer Configuration Guide only.

• Routingpolicy, traffic sampling, forwarding, andmonitoringdocumentation is no longer

included in the Junos OS Policy Framework Configuration Guide. This material is now

available in the Junos OS Routing Policy Configuration Guide.

• Thematerial thatwas formerly covered in the JunosOSPolicy FrameworkConfiguration

GuideWeb pages is now available as three subject-basedWeb pages. You can locate

the links to the newWeb pages at the following URLs:

• Routing Policy, Traffic Sampling, Forwarding, and Monitoring

Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products

/pathway-pages/config-guide-policy/config-guide-policy.html

• Stateless Firewall Filter


/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html

• Traffic Policer


/pathway-pages/config-guide-firewall-filter/config-guide-policer.html

• The JunosOSHierarchyandStandardsReference is nowavailableas threesubject-based

Web pages. You can locate the links to the newWeb pages for the guides at the

following URLs:

• Junos OS Configuration Statements and

Commands—http://www.juniper.net/techpubs/en_US/junos11.1/information-products

/pathway-pages/reference-hierarchy/junos-configuration-hierarchies.html

• Junos OS Product and Feature

Descriptions—http://www.juniper.net/techpubs/en_US/junos11.1/information-products

/pathway-pages/reference-hierarchy/junos-product-features.html

• Standards Supported by the Junos

OS—http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages



http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-ddos/ddos-protection.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-ddos/ddos-protection.html

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-firewall-filter/config-guide-firewall-policer.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/config-guide-policy/config-guide-routing-policy.pdf

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-policy/config-guide-policy.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-policy/config-guide-policy.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-firewall-filter/config-guide-policer.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-firewall-filter/config-guide-policer.html

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-configuration-hierarchies.html

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-configuration-hierarchies.html

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-product-features.html

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-product-features.html

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-supported-standards.html

/reference-hierarchy/junos-supported-standards.html

• The term “Multiplay” has been replaced with “Session Border Control” in the Junos OS

Release Notes.

• The Integrated Multi-Service Gateway (IMSG) pathway page now includes three

complete configuration examples:

• IMSG—Basic Configuration

• IMSG—Dual BGFs

• IMSG—Server Clusters

The configuration examples are applicable to Junos OS Release 10.2 and later.

• In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML

pages in the Junos OS documentation set. PDF files are available for the complete

Junos OS Release 10.3 configuration guides at

http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the

complete hardware guides are accessible at the following URLs:

• For M Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products

/pathway-pages/m-series/

• For MX Series routers:


/pathway-pages/mx-series/

• For T Series and TXMatrix routers:


/pathway-pages/t-series/

In addition, individual HTML pages have a Print link in the upper left corner of the text

area on the page.



on page 49

•

• Changes in Default Behavior and Syntax, and for Future Releases in Junos OS Release

11.4 for M Series, MX Series, and T Series Routers

• Issues in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers

• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forMSeries,MXSeries,

and T Series Routers



http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages/reference-hierarchy/junos-supported-standards.html

http://www.juniper.net/techpubs/software/junos/junos103/index.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/m-series/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/m-series/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/mx-series/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/mx-series/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/t-series/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/t-series/

JunosOSReleaseNotesforBranchSRXSeriesServicesGatewaysandJSeriesServicesRouters

Powered by Junos OS, Juniper Networks Branch SRX Series Services Gateways provide

robust networking and security services. Branch SRX Series Services Gateways are

designed to secure enterprise infrastructure, data centers, and server farms. The Branch

SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, and

SRX650 devices.

Juniper Networks J Series Services Routers running JunosOS provide stable, reliable, and

efficient IP routing, WAN and LAN connectivity, andmanagement services for small to

medium-sized enterprise networks. These routers alsoprovide network security features,

including a stateful firewall with access control policies and screens to protect against

attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,

J2350, J4350, and J6350 devices.

• New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and

J Series Services Routers on page 127

• Changes inDefault Behavior andSyntax in JunosOSRelease 11.4 for BranchSRXSeries

Services Gateways and J Series Services Routers on page 137

• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways

and J Series Services Routers on page 139

• Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways


• Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways


• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries


• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series


New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J SeriesServices Routers

The following features have been added to Junos OS Release 11.4. Following the

description is the title of the manual or manuals to consult for further information.

NOTE: For the latest updates about support and issues on Junos Pulse, seethe Junos Pulse Release Notes athttp://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/

pathway-pages/junos-pulse/index.html

• Software Features on page 128

• Hardware Features—SRX210 Services Gateways on page 136


Junos OS Release Notes for Branch SRX Series Services Gateways and J Series Services Routers

http://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/pathway-pages/junos-pulse/index.html


Software Features

AppSecure

• ApplicationsGroups—This feature is supportedonSRX100,SRX210,SRX220,SRX240,and SRX650 devices.

Application grouping is an enhancement to the AppSecure feature. It allows users to

group applications in policies.

Application grouping is mainly used to support:

• Customer-definedandpredefinedapplicationgroups in theapplication identification

module

• Multiple applications or groups in the application groups

• Applicationgroupsupport forapplicationfirewall (AppFW)—This feature is supportedon SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The SRX Series devices allow configuring application firewall policies based on

individual applications. This new feature allows you to group applications and

application groups under a single name for simplified, consistent reuse when defining

application firewall policies.

[Junos OS Security Configuration Guide]

• Application signaturemanagement and usability enhancements—This feature issupported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

JuniperNetworksprovides improvements in theusabilityandmanagementofpredefined

application signatures available through the Junos OS application signature package

subscription service. Previously, predefined application signature updates were

downloaded to the Junos OS configuration file, resulting in an unnecessarily large file.

To improve usability, application signature updates are nowdownloaded and installed

in a separate application signature database on the SRX Series device.

UsingCLI commands, users canmanagepredefinedandcustomapplication signatures

and application signature groups, as follows:

• View detailed and summary information.

• Copy, disable, and enable predefined application signatures for maximum flexibility

in the use and reuse of predefined application signatures and custom application

signatures.

• Create custom signatures by copying a predefined signature and using it as a

template.

In addition, CLI [servicesapplication-identification] commandsprovidemoreoptions

for the display and configuration of custom application signatures and application

signature groups

[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS

Security Configuration Guide]



• Heuristic detection of encrypted P2P applications—This feature is supported onSRX100, SRX210, SRX220, SRX240, and SRX650 devices.

Peer-to-peer applications such as Skype contain encrypted data packets. The SRX

Seriesdevicescannot identify theencrypteddatapacketswith thecurrentapplication

signatures, which are based on regular expression patterns. Heuristics are used to

improve the detection rate. Junos OS detects encrypted peer-to-peer traffic on TCP

and UDP.

If a session cannot be identified as known encrypted peer-to-peer traffic, you can

assign it to a special application called junos:unspecified-encrypted. Application

firewall can configure a policy on this application similar to other dynamic

applications.

The edit services application-identification command has a new option,

enable-heuristics, which you use to enable detection of encrypted peer-to-peer

applications. The enable-heuristics command is off by default.

The showservicesapplication-identificationcountercommandhas twonewper-SPU

counters, Unspecified encrypted sessions and Encrypted P2P sessions.

root>show services application-identification counter

pic: 1/0Counter type ValueUnspecified encrypted sessions 10Encrypted P2P sessions 5pic: 1/1 ...

[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]

• IPv6 application firewall support—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices. Application firewall now supports IPv6

addressing on these SRX Series Services Gateways.

Application firewall was previously supported in the IPv4 environment. Beginning

with Junos OS Release 11.4, it is also supported on IPv6.

Juniper Networks devices provide additional security protection against known

dynamic applications that can send traffic that might not be adequately controlled

by standard network firewall policies. The application firewall functionality enforces

policesbasedon the resultsof theapplication identificationprocess.Theapplication

identification process identifies applications using pattern matching, protocol

decoding, and heuristics.

To implement application firewall support:

• Networksecuritypolicy–Modify thepolicyconfiguration tosupport theapplication

firewall rule set within the existing configuration.

• Application firewall rule set–Defineanapplication firewall rule set tobe referenced

by the network security policy.



New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

• Nested application identification enhancement—This feature is supported onSRX100, SRX210, SRX220, SRX240, and SRX650 devices.

New application identification contexts have been added formore extensive nested

application matching. Several new HTTP contexts have been added for application

detection:

• http-get-url-parsed-param-parsed

• http-post-url-parsed-param-parsed

• http-post-variable-parsed

• http-header-user-agent

• http-header-cookie

For encrypted HTTP sessions, the new ssl-server-name context extracts the server

name from an SSL SERVER HELLOmessage and an SSL CLIENT HELLOmessage

if they exist.

[Junos OS Security Configuration Guide ]

• Onboxapplicationtrackingstatistics—This feature is supportedonSRX100,SRX210,SRX220, SRX240, and SRX650 devices.

This feature adds application-level statistics to the AppSecure suite. Application

statistics allow an administrator to access cumulative statistics as well as statistics

accumulated over user-defined intervals. The administrator can clear the statistics

and configure the interval values.

Bytes and session count statistics are maintained. Because the statistics count

occurs at AppTrack session close event time, the byte and session counts are not

updated until the session closes.

SRX Series devices support a history of 8 intervals that an administrator can use to

display the application session and byte counts.


Global Policy

• Global policy.—This feature is supported on SRX100, SRX210, SRX220, SRX240, andSRX650 devices.

Unlike other security policies, global policies do not reference specific source and

destination zones (from-zoneand to-zone).Global policies allowyou to regulate traffic

with addresses and applications, regardless of their security zones. Global policies

reference user-defined addresses or the predefined address “any.” These addresses

can spanmultiple security zones.


• Webauthentication—This feature is supportedonSRX100,SRX210,SRX220,SRX240,and SRX650 devices. Web authentication now supports IPv6 addresses..



• Firewall Authentication—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 devices. Firewall authentication now supports IPv6 addresses.

Intrusion Detection and Prevention (IDP)

• IDPcontentdecompressiononHTTP—This feature is supportedonSRX100, SRX210,SRX220, SRX240, and SRX650 devices.

To avoid IDP detection evasion on the HTTP compressed content, an IDP submodule

has been added that decompresses the protocol content. The signature pattern

matching is performed on the decompressed content. The decompression feature is

disabled by default.


• IDP attack description—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 for both J-Web and the CLI.

The IDP attack description feature enables users to use the CLI to learn more about

IDP attack objects. Currently, users view IDP attack objects in the

/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for

users to investigate andmanage IDP attack objects. Users can quickly and easily

administer IDP attack objects when the details are displayed through the CLI.

You can use the show security idp attack description and the show security idp attack

detail operational mode commands to display details about IDP attack objects.

[Junos OS CLI Reference Guide]

J-Web

• Customer branding of firewall authentication webpage—This feature is supported

on SRX100, SRX210, SRX220, SRX240,and SRX650 devices.

JuniperNetworksenables theadministrator to replace theembedded JuniperNetworks

logo present on the firewall authentication webpage with a customer graphic. It also

provides the ability to create a different logo for different logical systems.

• IDPmonitoring—This feature is supported on SRX100, SRX210, SRX220, SRX240,SRX650, and J Series devices.

The following pages have been added to the J-Web user interface:

• Attacks Monitoring page

• Applications Monitoring page

• IDPperformance in J-Web—IDPperformance in J-Webhasbeen improved forSRX100,SRX210, SRX220, SRX240, SRX650, and all J Series devices.

• J-Web for Layer 2 transparency—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices.


• Configuring bridge domains

• Configuring static MAC address to Layer 2 interfaces under bridge domains



• Monitoring bridge domains

• Configuring interface as family bridge

• MAC learning and limiting global MAC learning count

• Security flow bridge configurations

• J-Web DVPN pages enhancement—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices.

The following J-Web pages have been created for dynamic VPN (DVPN) configuration

and converted to the EXTJS framework to enhance usability:

• Dynamic VPN Global Settings

• Dynamic VPN Client Edit

For configuration, you can now configure IKE and IPsec autokey for DVPN through the

Auto Tunnel > Phase I and Phase II pages.

SNMP

• Juniper Networks enterprise-specific LicenseMIB—This feature is supported onSRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices. It extends SNMP

support for licensing information.

The enterprise-specific License MIB:

• Contains information about license features and the expiration details to reduce the

burden involved in managing licenses.

• Generates traps to alert users. For example, an alert is generated when a license

expires or when the total number of users exceeds the maximum number specified

in the license.

• Provides access to license-related information through the SNMP get and get-nextoperations.



[JunosOSSNMPMIBsandTrapsReference,MIBReference forBranchSRXSeriesServices

Gateways.]

Security

• EnhancedWeb Filtering—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 devices.

EnhancedWeb Filtering withWebsense is an integrated URL filtering solution. When

you enable EnhancedWeb Filtering on the device, the device intercepts HTTP and

HTTPSrequestsandthensends theHTTPURLor theHTTPSsource IP to theWebsense

ThreatSeekerCloud (TSC). TheTSCcategorizes theURL intooneof over 95 categories

and also provides a site reputation. The TSC returns the URL category and the site

reputation information to thedevice. Thedevice thendetermineswhether it canpermit

or block the request based on the information provided by the TSC.

You can consider EnhancedWeb Filtering as an alternative to the existing integrated

URL filtering Surf Control Content Portal Authority (SC-CPA) solution on the SRX

Seriesdevices. JSeriesdevices, however, support only theexistingSC-CPA functionality.

NOTE: You need to install a new license on the device to upgrade to theEnhancedWeb Filtering solution.


• GTPIE removal—This feature is supportedonall branchSRXSeriesand JSeriesdevices.

Themultiple versions of the Third-Generation Partnership Project (3GPP) create

interoperabilityproblems in themobilenetwork. JunosOSRelease 11.4 supports removal

of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows

you to retain interoperability.


• Security policies for self-traffic—This feature is supported on all branch SRX Seriesand J Series devices.

Users can now configure security policies for the self-traffic (the host inbound traffic

or the host outbound traffic) of the device. The user can further apply relevant services

to the new self-traffic policy.

The security policies for the self-traffic are configured under the new default security

zone called junos-host zone.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

• InternetKeyExchange version 2 (IKEv2)—This feature is supported on all branchSRXSeries devices.

IKEv2 is the next-generation standard for secure key exchange between peer devices,

defined in RFC 4306. IKEv2 is available in Junos OS Release 11.4 for securing IPsec

traffic. The initial release does not support all the capabilities described in the RFCs.

The advantages of using version 2 over version 1 are as follows;



• Simplifies the existing IKEv1

• Single RFC, including NAT-T, EAP, and remote address acquisition

• Replaces the 8 initial exchanges with a single 4-message exchange

• Reduces the latency for the IPsec SA setup and increases connection establishment

speed

• Increases robustness against DoS attack

• Improves reliability through the use of sequence numbers, acknowledgements, and

error correction

• Offers forward compatibility

• Provides simple cryptographic mechanisms

IKEv2 includes support for:

• Route-based VPN

• Site-to-site VPN

• Dead peer detection (liveness check)

• Chassis cluster

• Certificate-based authentication

• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange

• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist

without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if

the child SAs are currently active, the corresponding IKE SA will be rekeyed.

• Version 1 and version 2


UTM

• UTMsupport inchassisclusteractive/activeconfiguration—This feature is supportedon SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

Previously, onlyUTMsupport for thePacketForwardingEngine inactive/backupchassis

cluster configurationsexisted.Also, both thePacket ForwardingEngineand theRouting

Engine had to be active in the same node for UTM functionality to work.

This feature introduces UTM support for active/active chassis cluster configurations

where the Packet Forwarding Engine can be active on both the cluster nodes. With

active/active chassis cluster support, Routing Engine and Packet Forwarding Engine

can be active in different nodes.



NOTE: Sophos AV is not supported as part of active/active chassis clusterimplementation.

UTMsupports stateless (no state regardingUTM is syncedbetween the cluster nodes)

Packet Forwarding Engine active/active chassis cluster configurations.

With Junos OS Release 11.4, the UTM functionality is supported in both active/active

and active/backup chassis cluster configurations.

UTMwith chassis cluster supports the following failover types:

• Manual failover

• RG0 automatic failover

• RG1+ automatic failover

• Failover through flowd restart

• Failover through reboot

Chassis cluster support is enabled for the following UTM features:

• Content filtering

• URL (Web) filtering

• Antispam

• Express antivirus scanning

• Full file-based antivirus scanning



[Junos OS Security Configuration Guide, Junos OS Feature Support Reference for SRX

Series and J Series Devices]

VPN

• Site-to-site VPN support for NAT-T—This feature is supported on all branch SRXSeries devices and J Series devices.

Site-to-site IKE gateway configuration for Network Address Translation-Traversal

(NAT-T) is now supported on the server side (IKE responder). This is in addition to the

current implementation of NAT-T support for dynamic IKE gateway configuration. A

remote-identity value is used to validate apeer’s ike-idor idduringPhase 1 of IKE tunnel

negotiation.


Virtual Private LAN Service (VPLS)

• Filtering and policing support (packet based)—This feature is supported on SRX100,SRX210, SRX220, SRX240, SRX650, and all J Series devices.

This feature permits users to configure both firewall filters and policers for virtual

private LAN service (VPLS). Firewall filters enable you to filter packets based on their

components and perform an action on packets that match the filter. Policers enable

you to limit the amount of traffic that passes into or out of an interface.

This featurecanbeenabledbyconfiguringVPLS filters, policers, andaccounting through

various CLI commands. VPLS filters and policers act on a Layer 2 frame that includes

the media access control (MAC) header (after any VLAN rewrite or other rules are

applied), but that does not include the cyclical redundancy check (CRC) field.

NOTE: You can apply VPLS filters and policers on the PE routers, only tocustomer-facing (PE-CE) interfaces.

[Junos OSMPLS Configuration Guide for Security Devices]

Hardware Features—SRX210 Services Gateways

AX411 Access Point

• AX411 Access Point management is now supported on SRX100 and SRX110 Series

devices in addition to existing support on SRX210, SRX220, SRX240, and SRX650

devices.

The AX411 Access Point provides network access for wireless clients such as laptop or

desktopcomputers, personal digital assistants (PDAs), andanyother device equipped

with aWi-Fi adapter. The AX411 Access Point supports the new IEEE 802.11n wireless

networking standard with backward compatibility for IEEE 802.11a/b/g standards.

You canmanage and configure access points from the SRX Series device through the

Junos operating system (Junos OS) command-line interface (CLI), J-Web interface,

and Network and Security Manager (NSM).



3G ExpressCard Support on the SRX210 Services Gateway

• Junos OS Release 11.4 supports the SierraWireless AirCard 503 (AC503) ExpressCard

for GSM, HSPA, and UMTS networks on SRX210 devices, to provide wirelessWAN

connectivity as backup to primaryWAN links. The AC503 ExpressCard is not available

from Juniper Networks.

3G USBModemSupport on the SRX210 Services Gateway

• Junos OS Release 11.4 supports the SierraWireless USBmodem (U319, HSPA+

quad-band) on the SRX210 device (on USB port 1).

To use the 3G USBmodem on the SRX210 device:

1. Upgrade the BIOS software packaged inside the Junos OS image. For detailed

information about BIOS upgrade procedures, see the Junos OS Initial Configuration

Guide for Security Devices.

NOTE: You need the BIOS version of 2.1 or later to use the 3G USBmodems on the SRX210 device.

2. Configure theWANportusing theCLI commandsetchassis routing-engineusb-wwan

port 1 to enable the USB port to use the U319 USBmodem. See the Junos OS CLI

Reference Guide.

3. Plug the 3G USBmodem in to the appropriate USB slot (USB port 1) on the device.

NOTE: You can use the USBmodemwith a standard USB extensioncable of 1.8288meters (6 ft) or longer.

4. Reboot the device to start using the 3G USBmodem.

Changes inDefaultBehaviorandSyntax in JunosOSRelease 11.4 forBranchSRXSeriesServicesGateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operational

mode command usagemight not yet be documented in the Junos OS documentation:


Changes in Default Behavior and Syntax in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

Command-Line Interface (CLI)

• On SRX100, SRX110, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the

clear services flow command is not supported.

• On all branch SRX Series and J Series devices, the following commands are now

supported:

DescriptionCLI Command

List all Point-to-Point Protocol over Ethernet (PPPoE) sessions.show pppoe interfaces

Connect to all sessions that are down.request pppoe connect

Connect only to the specified session.request pppoe connect pppoe interface name

Disconnect all sessions that are up.request pppoe disconnect

Disconnectonly thespecified session, identifiedbyeither a sessionID or a PPPoE interface name.

request pppoe disconnect session id or pppoe interface name


• On all branch SRX Series devices, for a dynamic attack group using the direction filter,

the expression AND should be used in the exclude values. As is the casewith all filters,

the default expression is OR. However, there is a choice of AND in the case of the

direction filter.

For example, if you want to choose all attacks with the direction client-to-server,

configure the direction filter using the set security idp dynamic-attack-groupdyn1 filters

direction values client-to-server command.

In the case of chain attacks, each of the multiple members has its own direction. If a

policy includes chain attacks, a client-to-server filter selects all chain attacks that have

any member with client-to-server as the direction. This means chain attacks that

includememberswith server-to-client or ANY as the direction are selected if the chain

has at least onemember with client-to-server as the direction.

To prevent these chain attacks from being added to the policy, configure the dynamic

group as follows:

• set security idp dynamic-attack-group dyn1 filters direction expression and

• set security idp dynamic-attack-group dyn1 filters direction values client-to-server



• set security idp dynamic-attack-group dyn1 filters direction values

exclude-server-to-client

• set security idp dynamic-attack-group dyn1 filters direction values exclude-any

Multicast

• On all branch SRX Series and J Series devices, if the maximum number of leaves on a

multicast distribution tree is exceeded, multicast sessions are created up to the

maximum number of leaves, and any multicast sessions that exceed themaximum

number of leaves are ignored. In previous releases, no multicast traffic was forwarded

if the maximum number of leaves on themulticast distribution tree was exceeded.

Themaximum number of leaves on amulticast distribution tree is device specific.

Virtual Private Networks (VPNs)

• On SRX650 devices, the perfect forward secrecy setting in an IPsec policy overrides

the settings in proposal-sets in Junos OS Release 10.4 and later.

Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and JSeries Services Routers

AppSecure

• Junos OS application identification

When you create custom application or nested application signatures for Junos OS

application identification, the order value must be unique among all predefined and

custom application signatures. The order value determines the application matching

priority of the application signature.

The order value is set with the set services application-identification application

application-name signature order command. You can also view all signature order

valuesbyentering the showservicesapplication-identification |displayset |matchorder

command. You will need to change the order number of the custom signature if it

conflicts with another application signature.

• J-Web pages for AppSecure are preliminary.

• Custom application signatures and custom nested application signatures are not

currently supported by J-Web.

• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not

applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW

counters.

• AppSecure (AppTrack and AppFW) on the SRX100, SRX210, SRX220, SRX240, and

SRX650 devices is available through a controlled (EFT – Early Field Trial) release.


Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

AX411 Access Points

• On SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can

be configured andmanaged.

Chassis Cluster

• SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster

limitations:

• Virtual Router Redundancy Protocol (VRRP) is not supported.

• In-service software upgrade (ISSU) is not supported.

• The 3G dialer interface is not supported.

• On SRX Series device failover, access points on the Layer 2 switch reboot and all

wireless clients lose connectivity for 4 to 6minutes.

• On very-high-bit-rate digital subscriber line (VDSL) mini-PIM, chassis cluster is not

supported for VDSLmode.

• Queuing on the aggregated Ethernet (ae) interface is not supported.

• Group VPN is not supported.

• Sampling features like J-FLow, packet capture, and port mirror on the reth interface

are not supported.

• Switching is not supported in chassis cluster mode for SRX100 and SRX210.

• The Chassis Cluster MIB is not supported.

• Any packet-based services like MPLS and CLNS are not supported.

• lsq-0/0/0—Link servicesMultilinkPoint-to-PointProtocol (MLPPP),Multilink Frame

Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not

supported.

• lt-0/0/0—CoS for real-time performancemonitoring (RPM) is not supported.

• PP0: PPPoE, PPPoEoA is not supported.

• Packet-based forwarding forMPLSand InternationalOrganization for Standardization

(ISO) protocol familes is not supported.

• Layer 2 Ethernet switching

The factory default configuration for SRX100 devices automatically enables Layer 2

Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis

cluster mode, for these devices, if you use the factory default configuration, youmust

delete the Ethernet switching configuration before you enable chassis clustering.



CAUTION: Enabling chassis clusteringwhile Ethernet switching is enabledis not a supported configuration andmight result in undesirable behaviorfrom the devices, leading to possible network instability.

The default configuration for other SRX Series devices and all J Series devices does

not automatically enable Ethernet switching. However, if you have enabled Ethernet

switching, be sure to disable it before enabling clustering on these devices too.

• Onall J Series devices, a Fast Ethernet port froma4-port Ethernet PIM cannot be used

as a fabric link port in a chassis cluster.

• On all branch SRX Series devices, only redundant Ethernet interfaces (reth) are

supported for IKE external interface configuration in IPsec VPN. Other interface types

can be configured, but IPsec VPNmight not work.

• On J Series devices, the ISDN feature on chassis cluster is not supported.

Command-Line Interface (CLI)

• On all J Series devices, RADIUS accounting is not supported.

• On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the

device by using the CLI. The number of users allowed to access the device is limited

as follows:

• For SRX210 devices: four CLI users and three J-Web users

• For SRX240 devices: six CLI users and five J-Web users

• On J6350 devices, there is a difference in the power ratings provided by user

documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM

Power and Thermal Calculator) and the power ratings displayed by CLI ( by a unit of

1). The cause of this issue is a roundoff error, where theCLI display rounds off the value

to a lower integer and the ratings provided in user documentation rounds off the value

to the higher integer. As a workaround, follow the user documentation for accurate

ratings.

DOCSISMini-PIM

• On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to amaximum of 100

Mbps throughput in each direction.

Dynamic Host Configuration Protocol (DHCP)

• SRX Series and J Series devices do not support DHCPv6 client authentication.

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

• The IKE configuration for the Junos Pulse client does not support the hexadecimal

preshared key.



• The JunosPulse client IPsecdoesnot support theAuthenticationHeader (AH)protocol

and the Encapsulating Security Payload (ESP) protocol with NULL authentication.

• When you log in through theWeb browser (instead of logging in through the Junos

Pulse client) and a new client is available, you are prompted for a client upgrade even

if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse

clientwith the force-upgradeoptionconfigured, theclientupgradeoccursautomatically

(without a prompt).

• On SRX Series devices, DH-group 14 is not supported for dynamic VPN.

• OnBranch SRX devices, when you download pulse client throughMozilla browser, you

get “Launching the VPN client” page when pulse is still downloading but when you

download the pulse client through Internet Explore “Launching the VPN Client” page

comes after pulse has been download and installed.

Flow and Processing

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the

numberof largepacketbuffers, RoutingEnginebasedsamplingmight runoutofbuffers

for packet sizes greater than or equal to 1500 bytes and hence those packets will not

be sampled. You could run out of buffers when the rate of the traffic stream is high.

• OnSRX100 and SRX240 devices, the data file transfer rate formore than 20megabits

per second is reduced by 60 percent with the introduction of Junos Pulse1.0 client as

compared to the Acadia client that was used before Junos OS Release 11.1.

• OnSRX100,SRX210,SRX220,SRX240,andSRX650devices, thedefaultauthentication

table capacity is 10,000; the administrator can increase the capacity to amaximum

of 15,000.

• Onall branchSRXSeriesand JSeriesdevices,whendevicesareoperating in flowmode,

the Routing Engine side cannot detect the path maximum transmission unit (PMTU)

of an IPv6multicast address (with a large size packet).

• Onall branchSRXSeriesdevices, youcannotconfigure routepoliciesand routepatterns

in the same dial plan.

• On all branch SRX Series devices, you can configure nomore than four members in a

station group. Station groups are used for hunt groups and ring groups.

• On all J Series devices, even when forwarding options are set to drop packets for the

ISO protocol family, the device forms End System-to-Intermediate System (ES-IS)

adjacencies and transmits packets because ES-IS packets are Layer 2 terminating

packets.

• Onall branchSRXSeries and JSeriesdevices, highCPUutilization triggered for reasons

suchasCPU intensivecommandsandSNMPwalkscauses theBidirectional Forwarding

Detection protocol (BFD) to flap while processing large BGP updates.

• OnSRX210, SRX240, and J Series devices, broadcast TFTP is not supportedwhen flow

is enabled on the device.



• Maximum concurrent SSH, Telnet, andWeb sessions — On SRX210, SRX240, and

SRX650 devices, the maximum number of concurrent sessions is as follows:

SRX650SRX240SRX210Sessions

553ssh

553telnet

553Web

NOTE: These defaults are provided for performance reasons.

• On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you

limit use of CLI and J-Web to the numbers of sessions listed in the following table:

ConsoleJ-WebCLIDevice

133SRX210

155SRX240

• OnSRX100devices, Layer 3 control protocols (OSPF, usingmulticast destinationMAC

address) on the VLAN Layer 3 interface work only with access switch ports.

Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks SecurityDevices that Support Group VPN

Cisco’s implementation of the Group Domain of Interpretation (GDOI) is called Group

Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are

both based on RFC 3547, The Group Domain of Interpretation, there are some

implementation differences that you need to be aware of when deploying GDOI in a

networking environment that includes both Juniper Networks security devices and Cisco

routers. This topic discusses important items to note when using Cisco routers with GET

VPN and Juniper Networks security devices with group VPN.

Cisco GET VPNmembers and Juniper Group VPNmembers can interoperate as long as

the server role is played by a Cisco GET VPN server, Juniper Networks security devices

are groupmembers, and with the following caveats:

The group VPN in Release 11.4 of Junos OS has been tested with Cisco GET VPN servers

running Version 12.4(22)T and Version 12.4(24)T.

To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group

includes a Juniper Networks security device. The Cisco GET VPN server implements a

proprietary ACK for unicast rekey messages. If a groupmember does not respond to the

unicast rekey messages, the groupmember is removed from the group and is not able

to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as



bad security parameter indexes (SPIs). The Juniper Networks security device can recover

from this situation by reregistering with the server to download the new key.

Antireplay must be disabled on the Cisco server when a VPN group of more than two

members includes a Juniper Networks security device. The Cisco server supports

time-basedantireplaybydefault. A JuniperNetworks security devicewill not interoperate

with a Cisco groupmember if time-based antireplay is used because the timestamp in

the IPsec packet is proprietary. Juniper Networks security devices are not able to

synchronize time with the Cisco GET VPN server and Cisco GET VPNmembers because

the sync payload is also proprietary. Counter-based antireplay can be enabled if there

are only two groupmembers.

According to Cisco documentation, the CiscoGETVPN server triggers rekeys 90 seconds

before a key expires, and the Cisco GET VPNmember triggers rekeys 60 seconds before

a key expires.When interactingwith a Cisco GETVPN server, a Juniper Networks security

device member needs to match Cisco behavior.

ACiscoGETVPNmemberacceptsall keysdownloaded fromtheGETVPNserver. Policies

associatedwith thekeysaredynamically installed.Apolicydoesnothave tobeconfigured

on a Cisco GET VPNmember locally, but a deny policy can optionally be configured to

prevent certain traffic from passing through the security policies set by the server. For

example, the server can set a policy to have traffic between subnet A and subnet B be

encrypted by key 1. Themember can set a deny policy to allow OSPF traffic between

subnet A and subnet B not to be encrypted by key 1. However, the member cannot set a

permit policy to allowmore traffic to be protected by the key. The centralized security

policy configuration does not apply to the Juniper Networks security device.

On a Juniper Networks security device, the ipsec-group-vpn configuration statement in

the permit tunnel rule in a scope policy references the group VPN. This allowsmultiple

policies referencing a VPN to share an SA. This configuration is required to interoperate

with Cisco GET VPN servers.

Logical key hierarchy (LKH), a method for adding and removing groupmembers, is not

supported with group VPN on Juniper Networks security devices.

GETVPNmemberscanbeconfigured for cooperative key servers (COOPKSs), anordered

list of servers with which the member can register or reregister. Multiple group servers

cannot be configured on group VPNmembers.



Hardware

This section covers filter and policing limitations.

• On SRX650 devices, the T1/E1 GPIMs (2-port or 4-port version) do not work in Junos

OS Release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases,

but if you roll back to the 9.6R1 image, this issue is still seen.

Interfaces and Routing

• DynamicVLANassignmentsandguestVLANsarenotsupportedonJSeriesandSRX100

devices.

• On SRX650 devices, the ethernet switching is not supported on Gigabit Ethernet

interfaces (ge-0/0/0 through ge-0/0/3 ports).

• The SRX210, SRX220, SRX240, and SRX650 devices cannot send logs to the NSM

when logging is configured in the streammode. This is because, the security log does

not support configuring of the source IP address for the fxp0 interface and the security

log destination in streammode cannot be routed through the fxp0 interface. This

implies that you cannot configure the security log server in the same subnet as the

fxp0 interface and the route the log server through the fxp0 interface.

• On all branch SRX Series devices, the number of child interfaces per node is restricted

to 4 on the reth interface and the number of child interfaces per reth interface is

restricted to 8.

• On SRX240HighMemory devices, traffic might stop between the SRX240 device and

the Cisco switch due to link modemismatch. We recommend setting autonegotiation

parameters on both ends to the same value.

• On SRX240HighMemory devices, traffic might stop between the SRX240 device and

Cisco switch due to link modemismatch. We recommend setting autonegotiation

parameters on both ends to the same value.

• On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a

workaround, run the restart fpc command and restart the FPC.

• OnSRX210deviceswithVDLS2, ATMCOSVBR-related functionality cannot be tested.

• On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS

messages are dropped on an integrated routing and bridging (IRB) interface. As a

workaround, enable IGMP snooping to use IGMP over IRB interfaces.

• On J Series devices, the DS3 interface does not have an option to configure

multilink-frame-relay-uni-nni (MFR).

• On SRX210, SRX220, and SRX240 devices, every time the VDSL2 PIM is restarted in

the asymmetric digital subscriber line (ADSL) mode, the first packet passing through

the PIM is dropped.

• On SRX240 LowMemory devices and SRX240 High Memory devices, the RPM server

operation does not work when the probe is configured with the option

destination-interface.



• OnJSeriesdevices routedports, LinkLayerDiscoveryProtocol (LLDP) isnot supported.

• In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the

user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper

matching the ATM CoS rate must be configured to avoid congestion drops in

segmentation and reassembly (SAR).

Example:

set interfaces at-5/0/0 unit 0 vci 1.110

set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATMCOS

set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS

set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER

• OnSRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFPmini-PIM does

not support switching in Junos OS Release 11.4.

• On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame

counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.

• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the

reserved VLAN address range, and the user is not allowed any configured VLANs from

this range.

• On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be

used either as RJ-45 or SFP ports. If both are present and providing power, the SFP

media is preferred. If the SFPmedia is removed or the link is brought down, then the

interfacewill switch to theRJ-45medium. This can take up to 15 seconds, duringwhich

the LED for the RJ-45 portmight go on and off intermittently. Similarly, when theRJ-45

medium isactiveandanasmall form-factor pluggable transceiver (SFP) link is brought

up, the interface will transition to the SFPmedium, and this transition could also take

a few seconds.

• On SRX210 devices, the USBmodem interface can handle bidirectional traffic of up

to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps

or above), keepalives do not get exchanged, and the interface goes down.

• On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 ae interface, the

following features are not supported:

• Encapsulations(suchasCCC,VLANCCC,VPLS,andPPPOE)onLayer3ae interfaces

• J-Web

• Layer 3 ae for 10-Gigabit Ethernet

• On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.

• On SRX240 High Memory devices, when the system login deny-sources statement is

used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used

to copy the configuration during the commit routine. Use a firewall filter on the lo0.0

interface to restrict the Routing Engin access, However if you choose to use the system

login deny-sources statement, check the private addresses that were automatically

on lo0.x and sp-0/0/0.x and exclude them from the denied list.



Internet Key Exchange Version 2 (IKEv2)

On all branch SRX Series devices, IKEv2 does not include support for:

• Policy-based tunnels

• Dial-up tunnels

• Network Address Translation-Traversal (NAT-T)

• VPNmonitoring

• Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for

multiple tunnels

• Extensible Authentication Protocol (EAP)

• IPv6

• Multiple child SAs for the same traffic selectors for each QoS value

• Proposal enhancement features

• Reuse of Diffie-Hellman (DH) exponentials

• Configuration payloads

• IP Payload Compression Protocol (IPComp)

• Dynamic Endpoint (DEP)


• On SRX Series and J Series devices, from Junos OS Release 11.4 onwards, IDP security

package is based on the Berkeley database. Hence, when the Junos OS image is

upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of

IDPsecuritypackage filesneeds tobeperformed.This isdoneautomatically onupgrade

when the IDPdaemoncomesup. Similarly,when the image is downgraded, amigration

(sec Db install) is automatically performed when the IDP daemon comes up and

previously installed database files get deleted. However, migration is dependent on

the XML files for the installed database to be present on the device. For first-time

installation, full update files are required. If the last update on the device was an

incremental update,migrationmight fail. In suchacase, youhave tomanuallydownload

and install the IDP security packageusing thedownloador install CLI commandbefore

using the IDP configuration with predefined attacks or groups.

Workaround: Use the CLI command request security idp security-package download

full-update to manually download the individual components of the security package

from the Juniper Security Engineering portal before upgrading or downgrading the

image in the previous case.

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services

application-identification uninstall command will uninstall all predefined signatures.

• On all branch SRX Series devices, IDP does not allow header checks for nonpacket

contexts.



• OnSRX100,SRX210,SRX220,SRX240,andSRX650devices, themaximumsupported

number of entries in the ASC table for is 100,000 entries. However, because the user

land buffer has a fixed size of 1 MB as a limitation, it displays a maximum of 38,837

cache entries.

• On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long

time because:

• Software DFA is now used for attack signature compilation.

• The IDPD daemon gets a smaller CPU time slice during compilation.

• Themaximumnumber of IDP sessions supported is 16,384 onSRX210 devices, 32,768

on SRX240 devices, and 13,1072 on SRX650 devices.

• On all SRX Series devices, all IDP policy templates are supported except All Attacks.

There is a 100-MB policy size limit for integratedmode and a 150-MB policy size limit

for dedicatedmode. The current IDP policy templates supported are dynamic, based

on the attack signatures being added. Therefore, be aware that supported templates

might eventually grow past the policy-size limit.

On all SRX Series devices, the following IDP policies are supported:

• DMZ_Services

• DNS_Service

• File_Server

• Getting_Started

• IDP_Default

• Recommended

• Web_Server

• Onall branchSRXSeriesdevices, IDPdeployed inbothactive/activeandactive/passive

chassis clusters has the following limitations:

• No inspection of sessions that fail over or fail back.

• The IP action table is not synchronized across nodes.

• TheRouting Engine on the secondary nodemight not be able to reach networks that

are reachable only through a Packet Forwarding Engine.

• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses

a session ID and it happens to be processed on a node other than the one on which

the session ID is cached, the SSL session cannot be decrypted andwill be bypassed

for IDP inspection.

• On all branch SRX Series devices, IDP deployed in active/active chassis clusters has

a limitation that for time-binding scope source traffic, if attacks from a source (with

more than one destination) have active sessions distributed across nodes, then the

attack might not be detected because time-binding counting has a local-node-only



view. Detecting this sort of attack requires an RTO synchronization of the time-binding

state that is not currently supported.

NOTE: On SRX100 devices, IDP high availability (HA) is supported inactive/backupmode.

• OnSRX100, SRX210, SRX220, SRX240, andSRX650devices, the IDP policies for each

user logical system are compiled together and stored on the data planememory. To

estimate adequate data planememory for a configuration, consider these two factors:

• IDP policies applied to each user logical system are considered unique instances

because the ID and zones for each user logical system are different. Estimates need

to take intoaccount the combinedmemory requirements for all user logical systems.

• As the application database increases, compiled policies will require morememory.

Memory usage should be kept below the available data planememory to allow for

database increases.

IPv6 IPsec

The IPv6 IPsec implementation has the following limitations:

• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path

maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6

minimumMTU size of 1280 bytes.

• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are

32-bits long, IPv6 IPsec packet processing requiresmore resources. Therefore, a small

performance degradation is observed.

• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel

scalability numbers might drop.

• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel

throughput performance.

• The IPv6 IPsec VPN does not support the following functions:

• 4in6 and 6in4 policy-based site-to-site VPN, IKE

• 4in6 and 6in4 route-based site-to-site VPN, IKE

• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key

• 4in6 and 6in4 route-based site-to-site VPN, Manual Key

• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE

• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key

• RemoteAccess—XAuth, configmode, andshared IKE identitywithmandatoryXAuth

• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)



• IKE peer type—Dynamic IP

• Chassis cluster for basic VPN features

• IKE authentication—PKI/RSA


• VPNmonitoring

• Hub-and-spoke VPNs

• Next Hop Tunnel Binding Table (NHTB)

• Dead Peer Detection (DPD)

• Simple Network Management Protocol (SNMP) for IPsec VPNMIBs

• Chassis cluster for advanced VPN features

• IPv6 link-local address

Layer 2 Transparent Mode

• DHCP server propagation is not supported in Layer 2 transparent mode.

IPv6 Support

• NSM—Consult the Network and Security Manager (NSM) release notes for versioncompatibility, requiredschemaupdates, platform limitations, andother specificdetails

regarding NSM support for IPv6 addressing on SRX Series and J Series devices.

J-Web

• J-Web browser support for Dell PowerConnect and SRX Series devices—To accessJ-Web for all platforms, your device requires the following supported browsers and

OS:

• Browser: Microsoft Internet Explorer version 7.0, and Mozilla Firefox version above

3.0 and below 3.5.

NOTE: Other browser versionsmight not provide access to J-Web andonly English-version browsers are supported.

• OS: Microsoft Windows XP Service Pack 3

• SRX Series and J Series browser compatibility


software:

• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox

version 3.0





• If the device is running the worldwide version of the Junos OS and you are using the

Microsoft Internet Explorer Web browser, youmust disable the Use SSL 3.0 option

in theWeb browser to access the device.

• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript

and AJAX (Version 9)must be installed. Also note that the Chassis View is displayed

by default on the Dashboard page. You can enable or disable it using options in the

Dashboard Preference dialog box, but clearing cookies in Internet Explorer also

causes the Chassis View to be displayed.

• Onall branchSRXSeriesdevices, in the J-Web interface, there isnosupport for changing

the T1 interface to an E1 interface or vice versa. As aworkaround, use the CLI to convert

from T1 to E1 and vice versa.

• On SRX Series and J Series devices, users cannot differentiate between Active and

Inactiveconfigurationson theSystem Identity,ManagementAccess,UserManagement,

and Date & Time pages.

• OnSRX210devices, there is nomaximumlengthwhen theuser commits thehostname

inCLImode; however, only58characters,maximum,aredisplayed in the J-WebSystem

Identification panel.

• On all J Series devices, some J-Web pages for new features (for example, the Quick

Configuration page for the switching features on J Series devices) display content in

one or more modal pop-up windows. In the modal pop-up windows, you can interact

only with the content in the window and not with the rest of the J-Web page. As a

result, online Help is not available whenmodal pop-up windows are displayed. You

can access the online Help for a feature only by clicking theHelp button on a J-Webpage.

• On all branch SRXSeries devices, you cannot use J-Web to configure a VLAN interface

for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external

interfaces.

Network Address Translation (NAT)

• Maximumcapacities for sourcepoolsand IPaddresseshavebeenextendedonSRX650

devices, as follows:

Source NATrules numberPatPortNumber

PATMaximumAddressCapacity

Source NATPoolsDevices

102464M10241024SRX650 (HighMemory)

102416M256256SRX650 (LowMemory)



Increasing the capacity of source NAT pools consumesmemory needed for port

allocation.WhensourceNATpooland IPaddress limitsare reached,port rangesshould

be reassigned. That is, the number of ports for each IP address should be decreased

when the number of IP addresses and sourceNATpools is increased. This ensuresNAT

does not consume toomuchmemory. Use the port-range statement in configuration

mode in the CLI to assign a new port range or the pool-default-port-range statement

to override the specified default.

Configuring port overloading should also be done carefully when source NAT pools

are increased.

For source pool with port address translation (PAT) in range (64,510 through 65,533),

two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,

and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports

(64,512 through 65,535) for Application Layer Gateway (ALG)module use.

• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edgeof the carrier network, the device-wide NAT rule capacity has been changed.

The number of destination and static NAT rules has been incremented as shown in

Table 12 on page 152. The limitation on the number of destination-rule-set and

static-rule-set has been increased.

Table 12 onpage 152provides the requirementsper device to increase the configuration

limitation as well as to scale the capacity for each device.

Table 12: Number of Rules on SRX Series and J Series Devices

J SeriesSRX650SRX240SRX210SRX100NAT Rule Type

51210241024512512Source NAT rule

51210241024512512Destination NATrule

51261441024512512Static NAT rule

The restriction on the number of rules per rule set has been increased so that there is

only a device-wide limitation on howmany rules a device can support. This restriction

is provided to help you better plan and configure the NAT rules for the device.

Power over Ethernet (PoE)

• On SRX210-PoE devices, SDK packages might not work.

Security

• J Series devices do not support the authentication order password radius or password

ldap in the edit accessprofileprofile-nameauthentication-order command. Instead, use

order radius password or ldap password.



• Onall branchSRXSeriesand JSeriesdevices, the limitationon thenumberofaddresses

in an address-set has been increased. The number of addresses in an address-set now

dependson thedeviceand is equal to thenumberof addresses supportedby thepolicy.

Table 13: Number of Addresses in an address-set on SRX Series and JSeries Devices

address-setDevice

1024Default

1024SRX100 High Memory

512SRX100 LowMemory


512SRX210 LowMemory


512SRX240 LowMemory

1024SRX650

1024J Series

Simple Network Management Protocol (SNMP)

• On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release

11.4.

Switching

• Layer 2 transparentmode support—On SRX100, SRX210, SRX220, SRX240, andSRX650 devices, the following features are not supported for Layer 2 transparent

mode:

• Gratuitious Address Resolution Protocol (GARP) on the Layer 2 interface

• Spanning Tree Protocol (STP)

• IP address monitoring on any interface

• Transit traffic through integrated routing and bridging (IRB)

• IRB interface in a routing instance

• Chassis clustering

• IRB interface handling of Layer 3 traffic



NOTE: The IRB interface is a pseudointerface and does not belong tothe reth interface and redundancy group.

• On SRX100, SRX210, SRX240, and SRX650 devices, Change of Authorization is not

supported with 802.1x.

• OnSRX100, SRX210, SRX240, andSRX650devices, on the routedVLAN interface, the

following features are not supported:

• IPv6 (family inet6)

• ISIS (family ISO)

• Class of service

• Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and

so on) on VLAN interfaces

• CLNS

• Protocol Independent Multicast (PIM)

• Distance Vector Multicast Routing Protocol (DVMRP)

• VLAN interface MAC change

• Gratuitous Address Resolution Protocol (ARP)

• Change VLAN-Id for VLAN interface

Unified Threat Management (UTM)

• On all J Series devices, UTM requires 1 GB of memory. If your J2320, J2350, or J4350

device has only 512 MB ofmemory, youmust upgrade thememory to 1 GB to run UTM.

Upgrade and Downgrade

• On J Series devices, the Junos OS upgrademight fail due to insufficient disk space if

the CompactFlash is smaller than 1-GB in size. We recommend using a 1-GB

CompactFlash for Junos OS Release 10.0 and later.

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you connect a

client running Junos Pulse 1.0 to an SRX Series device that is a running a later version

of Junos Pulse, the client will not be upgraded automatically to the later version. You

must uninstall Junos Pulse1.0 from the client and then download the later version of

Junos Pulse from the SRX Series device.




• On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN

using the JunosPulse client, when you select the authentication-algorithmas sha-256

in the IKE proposal, the IPsec session might not get established.

Unsupported CLI for Branch SRX Series Services Gateways and J Series ServicesRouters

Accounting-Options Hierarchy

• OnSRX100,SRX210,SRX220,SRX240,SRX650,andall JSeriesdevices, theaccounting,

source-class, and destination-class statements in the [accounting-options] hierarchy

level are not supported.

AX411 Access Point Hierarchy

• On SRX100 devices, there are CLI commands for wireless LAN configurations related

to the AX411 Access Point. However, at this time, the SRX100 devices do not support

the AX411 Access Point.

Chassis Hierarchy

• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following

chassis hierarchy CLI commands are not supported. However, if you enter these

commands in the CLI editor, they appear to succeed and do not display an error

message.

set chassis craft-lockout

set chassis routing-engine on-disk-failure

Class-of-Service Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following

class-of-service hierarchy CLI commands are not supported. However, if you enter

these commands in the CLI editor, they appear to succeed and do not display an error

message.

set class-of-service classifiers ieee-802.1ad

set class-of-service interfaces interface-name unit 0 adaptive-shaper

Ethernet-Switching Hierarchy


Ethernet-switching hierarchy CLI commands are not supported. However, if you enter

these commands in the CLI editor, they appear to succeed and do not display an error

message.

set ethernet-switching-options bpdu-block disable-timeout



set ethernet-switching-options bpdu-block interface

set ethernet-switching-options mac-notification

set ethernet-switching-options voip interface access-ports

set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class

Firewall Hierarchy

• OnSRX100, SRX210, SRX220, SRX240SRX650, and all J Series devices, the following

Firewall hierarchy CLI commands are not supported. However, if you enter these


message.

set firewall family vpls filter

set firewall family mpls dialer-filter d1 term

Interfaces CLI Hierarchy

On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following

interface hierarchy CLI commands are not supported. However, if you enter these

commands in theCLI editor, they appear to succeedanddonot display anerrormessage.

• Aggregated Interface CLI on page 156

• ATM Interface CLI on page 157

• Ethernet Interfaces on page 158

• GRE Interface CLI on page 158

• IP Interface CLI on page 158

• LSQ Interface CLI on page 159

• PT Interface CLI on page 159

• T1 Interface CLI on page 159

• VLAN Interface CLI on page 160

Aggregated Interface CLI

• The followingCLI commandsarenot supported.However, if youenter thesecommands

in the CLI editor, they appear to succeed and do not display an error message.

request lacp link-switchover ae0

set interfaces ae0 aggregated-ether-options lacp link-protection

set interfaces ae0 aggregated-ether-options link-protection



ATM Interface CLI



set interfaces at-1/0/0 container-options

set interfaces at-1/0/0 atm-options ilmi

set interfaces at-1/0/0 atm-options linear-red-profiles

set interfaces at-1/0/0 atm-options no-payload-scrambler

set interfaces at-1/0/0 atm-options payload-scrambler

set interfaces at-1/0/0 atm-options plp-to-clp

set interfaces at-1/0/0 atm-options scheduler-maps

set interfaces at-1/0/0 unit 0 atm-l2circuit-mode

set interfaces at-1/0/0 unit 0 atm-scheduler-map

set interfaces at-1/0/0 unit 0 cell-bundle-size

set interfaces at-1/0/0 unit 0 compression-device

set interfaces at-1/0/0 unit 0 epd-threshold

set interfaces at-1/0/0 unit 0 inverse-arp

set interfaces at-1/0/0 unit 0 layer2-policer

set interfaces at-1/0/0 unit 0 multicast-vci

set interfaces at-1/0/0 unit 0 multipoint

set interfaces at-1/0/0 unit 0 plp-to-clp

set interfaces at-1/0/0 unit 0 point-to-point

set interfaces at-1/0/0 unit 0 radio-router

set interfaces at-1/0/0 unit 0 transmit-weight

set interfaces at-1/0/0 unit 0 trunk-bandwidth



Ethernet Interfaces



set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes

set interfaces ge-0/0/1 gigether-options mpls

set interfaces ge-0/0/0 stacked-vlan-tagging

set interfaces ge-0/0/0 native-vlan-id

set interfaces ge-0/0/0 radio-router

set interfaces ge-0/0/0 unit 0 interface-shared-with

set interfaces ge-0/0/0 unit 0 input-vlan-map

set interfaces ge-0/0/0 unit 0 output-vlan-map

set interfaces ge-0/0/0 unit 0 layer2-policer

set interfaces ge-0/0/0 unit 0 accept-source-mac

set interfaces fe-0/0/2 fastether-options source-address-filter

set interfaces fe-0/0/2 fastether-options source-filtering

set interfaces ge-0/0/1 passive-monitor-mode

GRE Interface CLI



set interfaces gr-0/0/0 unit 0 ppp-options

set interfaces gr-0/0/0 unit 0 layer2-policer

IP Interface CLI



set interfaces ip-0/0/0 unit 0 layer2-policer

set interfaces ip-0/0/0 unit 0 ppp-options

set interfaces ip-0/0/0 unit 0 radio-router



LSQ Interface CLI



set interfaces lsq-0/0/0 unit 0 layer2-policer

set interfaces lsq-0/0/0 unit 0 family ccc

set interfaces lsq-0/0/0 unit 0 family tcc

set interfaces lsq-0/0/0 unit 0 family vpls

set interfaces lsq-0/0/0 unit 0 multipoint

set interfaces lsq-0/0/0 unit 0 point-to-point

set interfaces lsq-0/0/0 unit 0 radio-router

PT Interface CLI



set interfaces pt-1/0/0 gratuitous-arp-reply

set interfaces pt-1/0/0 link-mode

set interfaces pt-1/0/0 no-gratuitous-arp-reply

set interfaces pt-1/0/0 no-gratuitous-arp-request

set interfaces pt-1/0/0 vlan-tagging

set interfaces pt-1/0/0 unit 0 radio-router

set interfaces pt-1/0/0 unit 0 vlan-id

T1 Interface CLI



set interfaces t1-1/0/0 receive-bucket

set interfaces t1-1/0/0 transmit-bucket

set interfaces t1-1/0/0 encapsulation ether-vpls-ppp

set interfaces t1-1/0/0 encapsulation extended-frame-relay

set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc



set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc

set interfaces t1-1/0/0 encapsulation satop

set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr

set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp

set interfaces t1-1/0/0 unit 0 layer2-policer

set interfaces t1-1/0/0 unit 0 radio-router

set interfaces t1-1/0/0 unit 0 family inet dhcp

set interfaces t1-1/0/0 unit 0 inverse-arp

set interfaces t1-1/0/0 unit 0 multicast-dlci

VLAN Interface CLI



set interfaces vlan unit 0 family tcc

set interfaces vlan unit 0 family vpls

set interfaces vlan unit 0 accounting-profile

set interfaces vlan unit 0 layer2-policer

set interfaces vlan unit 0 ppp-options

set interfaces vlan unit 0 radio-router

Protocols Hierarchy

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI

commands are not supported. However, if you enter these commands in theCLI editor,

they will appear to succeed and will not display an error message.

set protocols bfd no-issu-timer-negotiation

set protocols bgp idle-after-switch-over

set protocols l2iw

set protocols bgp family inet flow

set protocols bgp family inet-vpn flow

set protocols igmp-snooping vlan all proxy



Routing Hierarchy


routing hierarchy CLI commands are not supported. However, if you enter these


message.

set routing-instances < instance_name > services

set routing-instances < instance_name > multicast-snooping-options

set routing-instances < instance_name > protocols amt

set routing-options bmp

set routing-options flow

Services Hierarchy


services hierarchy CLI commands are not supported. However, if you enter these


message.

set services service-interface-pools

SNMPHierarchy


SNMP hierarchy CLI commands are not supported. However, if you enter these


message.

set snmp community < community_name > logical-system

set snmp logical-system-trap-filter

set snmp trap-options logical-system

set snmp trap-group d1 logical-system

SystemHierarchy

• On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system

hierarchy CLI commands are not supported. However, if you enter these commands


set system diag-port-authentication


New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and


•





Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and JSeries Services Routers

The following problems currently exist in Juniper Networks Branch SRX Series Services

Gateways and J Series Services Routers. The identifier following the description is the

tracking number in the Juniper Networks Problem Report (PR) tracking system.

Aplication Layer Gateway(ALG)

• On SRX650 devices, when MGCP ALG is enabled and the MGCP traffic traverses the

device, the device crashes and generates core files. [PR/602694]

Chassis Cluster

• OnSRX240HighMemory devices, an image upgrade from JunosOSRelease 10.3 does

not support the ?validate? option. Software upgrade can be done using the

?no-validate? option. [PR/600467]

• On all branch SRX devices, in a chassis cluster, the status of the UTMSurf Control CPA

web filtering server in the primary node is down when the server is reachable.

[PR/701479]

• On all branch SRX Series devices running chassis cluster, if the external VPN interface

is loopback, the device uses the physical interface IP after RG0 failover.

As a workaround, clear the IKE security association (SA) after RG0 failover. It will also

help to configure the IKE SA lifetime to be shorter than the IPsec SA lifetime because

the new IKE SAwill be created any time the IPsec SA rekeys. [PR/707291]

Flow and Processing

• On J2350devices, CPUutilization rises sharplywith 3000 connections per second due

to rtlogd and eventd daemons consuming high CPU resources. [PR/586224]

• On SRX650 devices, the secondary node is not available due to an increase in OLC

messages. [PR/590739]

• On all branch SRX Series devices, changes in policer, filter, or sampling configuration

cause core files to be generated whenmulticast traffic is received. [PR/613782]

• OnSRX240devices,when thedeviceupdates thememorywith the softwaremulticast

next hop index, it does not take into account the state of the logical aggregate child

interface. [PR/668676]

• On SRX650 and SRX240 devices, the throughput performance of Surf Control Web

Filter has dropped. When you require the previous level of throughput performance,

do not upgrade to Release 11.4R1. [PR/671777]

• On SRX100 High Memory devices, we do not recommend using the predefined policy

template IDP_Default as the active policy with the latest signature package installed.

Other policies from the policy templates can be used as the active policy. [PR/671977]



• On SRX100, SRX210, and SRX210 devices, flow and packet performance, and drop in

gre and gre_ipsec, is observed. [PR/682501]

• On SRX210 devices, Packet Forwarding Engine core files are observed periodically.

[PR/697032]

• On J4350, SRX550, and SRX650 devices, when the peers are connected directly

through the t1 link and the ge link, pinging to the peer link local address of the t1 link

interface does not go through the t1 link, but through the ge link instead. [PR/684159]

• On all branch SRX Series devices, a memory leak occurs during the audit event

processing.

As a workaround, enable the security log cache using the edit security log cache

configuration statement. [PR/698907]

• OnSRX210andSRX240devices, youcanobserveaperformancedropof theKaspersky

antivirus solution. [PR/704838]

• On SRX220 devices, performance drops on Generic Routing Encapsulation (GRE)

tunnel interface. [PR/706412]


• On SRX210 High Memory devices, a remote end ping will not check for the presence

of a packet size of more than 1480 because the packets are dropped for the default

MTU, which is 1496 at the interface and the default MTU of the remote host Ethernet

intf is 1514. [PR/469651]

• On J4350 devices, the routed interface (inet family) is not supported on the UPIMs

when PICmode is configured as “switching”. Only the switching functionality is

supported in this mode. [PR/590771]

• On SRX210, SRX220, and SRX240 devices, with an at-x/x/x interface (ADSL, VDSL

operating in at mode, and SHDSL), the difference between the MTU values on the

logical interface and the MTU values on the physical interface have to be exactly 40

bytes. If this is not the case, the IP information will not be displayed by the show

interfaces command output. [PR/591585]

• OnSRX210devices,G.SHDSL linedoesnotcometoshow-timewhenCPE isconfigured

with annex-auto in 2-wire or 4-wire mode with ADTRAN DSLAM, and in 2-wire mode

with Cisco DSLAM. [PR/686617]

• On SRX Series devices, a memory leak occurs during the audit event processing.

Workaround:Enable thesecurity logcacheusing theeditsecurity logcacheconfiguration

statement. [PR/698907]

• On SRX650 devices, when you enable application-firewall in policies back to back,

ping does not working. [PR/708532]


• On SRX210 devices, a performance drop is observed for IDP.


Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

• On SRX240 devices, when downgrading from Junos Release 11.4 or above image to

Junos Release11.1 or earlier image, the security package gets deleted. Although it is

automatically installed when the IDP daemon comes up, this automatic install may

fail sometimes due to AI installation error. The status can be checked through

operational CLI router>request security idp security-package install status.

Asaworkaround,when the installation fails, thecustomerneeds tomanuallydownload

or install the complete update. [PR/705113]

• OnSRX210devices, IDPDdaemoncorewhenPFE isofflineduringpolicy loadoperation.

[PR/702321]

J-Web

• OnSRX210and J4350devices,we recommend that youavoid loggingout of thedevice

on the Troubleshoot>CLI Terminal page, because the logout option on the page is

hidden in the CLI. [PR/401772]

• On all branch SRX Series devices, performing software upload is not possible when

using the J-Web interface with the Mozilla Firefox browser of version 3.5 and later. As

a workaround, use Internet Explorer (IE) or Mozilla Firefox version 3. [PR/500039]

• OnSRX100devices, theMonitor>SystemView>ClusterStatuspage is not clearly visible

in Internet Explorer version 8. [PR/597025]

• On SRX100 Series devices, if node 0 is down, youmust use the CLI to see chassis

information. [PR/598228]

• On SRX100 devices, the fxp0 interface is not listed in the Configure>chassis

cluster>cluster configuration>edit node>interface dialog box. [PR/599032]

• On all branch SRX Series devices, J-Web will not increment the cluster reth count. As

a workaround, increment the reth count from CLI before configuring the redundancy

group for the first time. [PR/599193]

• On all branch SRX Series devices, J-Web shows invalid page while editing ppd0 and

ppe0 interfaces.Asaworkaround, useCLI for configuringppd0andppe0. [PR/660575]

• OnSRX650devices, in J-Web, theconfigurationchangecannotpass thecommit check;

therefore, you cannot delete the domain name of an address book. [PR/662618]

• On all branch SRX Series devices, in J-Web, DS3/E3 is not visible on chassis viewer.

[PR/662812]

• On all branch SRX Series devices, when you configure UTM features on the J-Web

interface, the buttons do not work in the antivirus windowswhen you use profile types

for express antivirus scanning and Sophos. [PR/683726]

• In the J-Web interface, if you discard any available MIB profile, file or predefined object

from "accounting-options" on the Point and Click CLI Configuration page (Configure

> CLI Tools > Point and Click CLI), the J-Web session times out. As a workaround,

perform the same operation from the CLI. [PR/689261]

• On all branch devices, when you configure the wireless LAN access point on the

Configure >Wireless LAN > Setting page, you cannot set Bolivia as a country.

[PR/691824]



• On all branch devices, you cannot access the Help page directly from the Monitor

>Wireless LAN page. As a workaround, navigate to Monitor > Interfaces and click Help

>HelpContents. In theHelp page, click theWLAN link in the list of items underMonitor

Node. [PR/691915]

• On all branch devices, while editing the radio settings for a wireless LAN access point

on the Configure >Wireless LAN > Setting page, you cannot edit the virtual access

point. The security options configured are static-wep and dot1x. [PR/692195]

• On all branch devices, if the device monitors more than one access point, a packet

capture is enabled on one access point.When you try to see the details of other access

pointson theMonitor>WirelessLANpage, youseeaDataRefreshFailederrormessage.

As a workaround, enable or disable packet capture uniformly across all themonitored

access points. [PR/692344]

• On all branch devices, while configuring the security option of a virtual access point

under radio settings of awireless LAN access point with the valueWPAEnterprise, you

cannot configure the RADIUS Server fields under theWPA Enterprise security option.

[PR/692739]

• On SRX100, SRX210, SRX240, and SRX650 devices, the country code configured for

the AX411 Wireless LAN Access Point connected to the device on the Configure

>Wireless LAN > Setting page, does not reflect properly on theMonitor >Wireless LAN

page. [PR/692740]

• On all branch SRX Series devices, upgrading the access point using J-Web (Configure

>Wireless LAN > Firmware Upgrade) does not work. [PR/694627]

• On all branch devices, users cannot configure Supported rates and Supported Basic

rates with different values on the Configure >Wireless LAN > Setting page. J-Web

takes the values while deploying the configuration. [PR/696627]

• On all branch devices, the protection field is cleared when a user uses the Edit Radio

option button to edit the advanced options on the Configure >Wireless LAN > Setting

page. [PR/696629]

• Onall branchSRXdevices, youcannot view theaccesspointdetails of anactiveaccess

point from the J-WebMonitor >Wireless LAN page. [PR/700513]

• On all branch SRX devices, in Internet Explorer, the dashboard panels do not showany

data until they are refreshed. [PR/703958]

Layer 2 Transparent Mode

• The transition from Layer 3 to Layer 2 mode impossible if more than one logical

interfaces is configured under an interface, such as:

• ge-0/0/4.2 up up inet 16.1.1.2/24

• ge-0/0/4.3 up up inet 16.1.1.3/24

• ge-0/0/4.4 up up inet 16.1.1.4/24

• ge-0/0/4.5 up up inet 16.1.1.5/24

• ge-0/0/4.6 up up inet 16.1.1.6/24


Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

[PR/699497]

• On all branch SRX Series devices, while you transition from Layer 3 mode to Layer 2

mode, if anypart of themanagement interface is under vlan.o, J-Web loses connectivity

and cannot move from Layer 3 mode to Layer 2 mode. [PR/705004]


• On all branch SRX Series devices, when you configure two static NAT rules in default

routing-instance with same prefix, one rule is configured without static-nat prefix

routing-instance default, and the other rule which will have the commit will have no

overlapped prompt info and will complete.

Do not use same static NAT prefix addresses in two rules in default routing-instance

with one rule as static-nat prefix routing-instance default configuration and the other

rule as none. [PR/708433]


• On all branch SRX Series devices, application identification does not support the

downgrade of an image when you attempt to downgrade the device from Junos OS

Release 12.1 to Release 11.4. Youmust download and install the signature database

once again.

If you upgrade the device from Junos OS Release 11.4 to Release 12.1, application

identification signature will take about 30 seconds to recompile. During these 30

seconds, application identification does not identify the traffic, and traffic is dropped

by application firewall as an unknown session. [PR/689304]

UTM

• Onall branchSRXdevices, themaximumnumberof connectionsper secondsupported

by the EnhancedWeb Filtering solution is less than that supported by the Surf control

solution. [PR/609094]

• On SRX210 devices, UTM EAV status shows Engine not ready (Database Loading)

even after successfully loading the database. This issue occurs occasionally after the

image upgrade or downgrade, and on a system reboot.

As a workaround, delete the pattern database and issue pattern-update, with the

following operational commands:

• request security utm anti-virus juniper-express-engine pattern-delete

• request security utm anti-virus juniper-express-engine pattern-update

[PR/693530]

• On all branch SRX devices, when the EnhancedWeb Filtering withWebsense cache

is disabled, incrementing in the fallback default counters occurs and the transaction

rate is greater than or equal to 200 per second. [PR/696183]

• On all branch SRX devices with UTM EnhancedWeb Filtering enabled, entries in the

log file are available for all URLs that have been directed to the client for a safe search



but no entries are available for URLs that have already had a safe search applied to

them. [PR/696495]

• On all branch SRX devices with EnhancedWeb Filtering withWebsense enabled, the

TCP connections from the device to the ThreatSeeker Cloud (TSC) server are

established without a valid feature license. [PR/698596]

• On J Series devices, do not upgrade UTM feature to Release 11.4R1. [PR/707622]

VPN

• On SRX240 and SRX650 devices, when there is simultaneous negotiation, youmay

seemultiple IPSec SA and IKE SA for same peer. This will not affect any functionality.

[PR/594860]

• OnSRX240devices, on reboot “mgd commit” fails when you configureStaticNext hop

tunnel bundling. [PR/695671]




•





Resolved Issues in JunosOSRelease 11.4 for BranchSRXSeries ServicesGateways and J SeriesServices Routers

The following are the issues that have been resolved since Junos OS Release 11.2 for

Juniper Networks branch SRX Series Services Gateways and J Series Services Routers.

The identifier following the description is the tracking number in the Juniper Networks

Problem Report (PR) tracking system.


Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

Application Layer Gateways (ALGs)

• On SRX210 devices, you used OpenPhone in fast start/slow start tunnel mode and

another phone in normal mode, the call failed. [PR/684951: This issue has been

resolved.]

Authentication

• On SRX650 devices, authentication failure occurred when a new user was added.


Chassis Cluster

• On SRX240 and SRX650 devices, in a chassis cluster, telnet/ssh to RVI traffic through

secondary node ports timed out within 20 seconds. [PR/567805: This issue has been

resolved.]

• On SRX650 devices, some interfaces on node0 in the chassis cluster showed

unspecified speed and half-duplex. [PR/597575: This issue has been resolved.]

• On SRX650 devices, the antivirus feature caused forwarding slowness at traffic peaks

due to amemory issue related to scanning of SMTP traffic. [PR/610336: This issue

has been resolved.]

• On SRX650 devices in a chassis cluster, failover took more than 5 seconds when the

monitored interface flapped. The switch link scan had originally been set for 4 seconds

and is now set for 0.5 seconds, thereby speeding up the link detection process.


• On SRX210, SRX220, SRX240, and SRX650 devices, if the ISSU failed and only one

device in theclusterwasupgraded, rollback to theprevious configurationon thatdevice

was achieved only by using the following commands on the upgraded device:

• request chassis cluster in-service-upgrade abort

• request system software rollback

• request system reboot


• On SRX650 devices, when a second node was not present in a chassis cluster

configuration, any new provision of redundancy group got stuck in secondary state.


• On SRX650 devices, for switching deployment in chassis cluster, multicast traffic was

duplicated. [PR/689153: This issue has been resolved.]



DHCP

• On J4350 devices, the DHCP client lease did not have the correct attributes during

static lease renewal by the DHCP server to the client. The static binding lease given by

the server was the default lease time; however, the lease end time should have been

"never". [PR/665084: This issue has been resolved.]

Flow and Processing

• OnSRX210, SRX220, SRX240, SRX650, and J Series devices, the TCP connections per

second drop was anticipated. [PR/550444: This issue has been resolved.]

• On SRX210, SRX240, and SRX650 devices, handling traffic requires fragmentation of

packets that were not passing or had large latency. [PR/590480: This issue has been

released.]

• On SRX100 devices, when the device was switched from Layer 3 to Layer 2 mode, the

user was prompted to reboot the device. If the device was not rebooted and was

switched back to Layer 3mode, a core file was generated. [PR/605293: This issue has

been resolved.]

• OnSRX210HighMemorydevices,when theanchor interfaceofGREthe tunnel interface

was configured to get IP by CX111, the GRE tunnel was not created, CX111 was restarted.


• On J6350 devices, when the CLI command restart forwarding gracefully in chassis

cluster mode was executed, the FPC remained offline. [PR/605657: This issue has

been resolved.]

• On SRX220 devices, the show security policy <policy-name> inconsistently showed

thepossible objects (security policy names) in theoperationandconfigurationmodes.


• On J2320 devices, the E1 connected interface dropped traffic and generated a core file.

[PR/609720: The issue has been resolved.]

• On SRX210, SRX220, and J6350 devices, when the interface configuration changed

continuously, theOSPF got stuck at the init state over the E1/T1 link. [PR/660264: This


• On SRX100, SRX210, SRX220, and SRX240 LowMemory devices, due to memory

allocations, traffic stopped passing when ALG-based traffic was used. [PR/664378:


• On SRX240 devices, packet mode reordering of packets failed in multithreaded

platforms for multicast flows that had to go out on a single egress interface.


• On SRX210 devices, the 80th, 160th, 240th, and so on character of the message was

lost while sending messages between users using the requestmessage command.[PR/670106: This issue has been resolved.]

• On J2350 devices, the vrf-table-label could not be used when you used the

encapsulation type flexible-ethernet-services. [PR/671286: This issue has been

resolved.]



• On SRX240 devices, when host-originated packets were sent out through the

gr-interface, both local and transit counters did not increment for this interface.


• On SRX100, SRX210, SRX220, SRX240, SRX650 and J Series devices, Remote MAC

Learning for VPLS did not work. [PR/687956: This issue has been resolved.]

• OnSRX210 devices, core files for pfe daemonswere observed. [PR/697032: This issue

has been resolved.]


• On SRX650 devices, when you rebooted the secondary node, the multicast session

was rebuilt, and there were extra leaves sessions with local0 as the outgoing interface

setup. [PR/604084: This issue has been resolved.]

• On SRX650 and J4350 devices, when OSPF was used over IPsec, a core file was

generated when the routing process was restarted. [PR/606272: This issue has been

resolved.]

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, VLAN to interface

disassociation did not work properly. [PR/662942: This issue has been resolved.]

• On SRX240 devices, no optical diagnostics were available for the ge interface on the

1xGEHigh-PerformanceSFPMini-PIMPIC. [PR/666315: This issuehasbeen resolved.]

• OnSRX210 devices, monitor traffic disables VPLS service. [PR/670230: This issue has

been resolved.]

• On SRX210 devices, when processing traffic from or to the SRX devices (host-bound

traffic),GRE interfacecounters showed incorrect valuesanddecrementedoccasionally.

This was a display issue, as traffic was still being processed normally and no packets

were lost. [PR/672302: This issue has been resolved.]

• On SRX240 devices, an error message was displayed when committing a DNAT pool

configuration with an IP address of 0.0.0.0/0 even though the commit executed

successfully. [PR/682915: This issue has been resolved.]


• On SRX650 devices, VRRP hello packets were lost during IDP pattern update.


J-Web

• On the Security >Filters >IPv4 page and IPv6 firewall filters page, when users added

a new IPv4 filter name and clicked the Add button, the change was not reflected on

the pages. In addition, the configure firewall filter page did not appear. [PR/576194:


• On SRX210 devices, in the J-Web interface, if you discard any available MIB profile, file,

orpredefinedobject from"accounting-options"on thePointandClickCLIConfiguration

page (Configure > CLI Tools > Point and Click CLI), the J-Web session timed out.




• On SRX110 devices, the J-Web interface did not work on the SRX110H-VBmodels.


License

• The SRX210, SRX220, SRX240, and SRX650 devices had two free dynamic VPN user

licenses, but the LICENSE_EXPIRED alarmwas generated if fewer than two users

connected to theVPNonSRXSeriesdevices. [PR/661417:This issuehasbeen resolved.]

• On SRX210 and SRX240 devices with DC Power Supply, the default licenses did not

work. [PR/667526: This issue has been resolved.]

NAT

• OnSRX240devices,whenyouconfigure IPaddresses forproxy-ARPunder “theSecurity

NAT configuration”, the device failed to respond to ARP-probe packets. [PR/663507:

This issue has been resolved]

Switching

• On SRX210, SRX220, and J Series devices, the Dot1x-enabled port flooded traffic

without authentication. [PR/687053: This issue has been resolved.]

UTM

• On SRX650 devices, a commit error occurred when the policy used UTM:

"application-services' warning: license not installed for". [PR/600941: This issue has

been resolved.]

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you added a

date-based license, thedeviceaccepted the license, but theadditionwasnotdisplayed

in the Licenses installed field of the output for the show system license command. The

Expiry field showed “invalid or X days”, depending on whether the grace period was

available or not. [PR/665111: This issue has been resolved.]

• OnSRX210devices, theHTTPdownloadingconnection forUTMantiviruswasdropped

when the file exceeded 2 GB. [PR/668818: This issue has been resolved.]

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, you could enable the

EnhancedWebFiltering featureofUTMwitha license for theSurfControlWebFiltering

feature. [PR/686290: This issue has been resolved.]

Virtual Private Network (VPN)

• On SRX210 devices, when the "@" sign was included in the dynamic hostname, the

clear security dynamic-vpn user returned an error:

"Invalid usernameor ike id for user xxxx.Noentrywascleared." [PR/608342:This issue

has been resolved.]

• On SRX650 devices, the DSCP tagged packets coming in from a VPN tunnel were not

classified and were placed in the default best-effort queue on the egress interface.







•





ErrataandChanges inDocumentation for JunosOSRelease 11.4 forBranchSRXSeriesServicesGateways and J Series Services Routers

Errata for the Junos OS Software Documentation

This section lists outstanding issues with the software documentation.

Junos OS CLI Reference

• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in

proposal-set (IPsec) section. The IPsec proposals should be as follows:

• basic—nopfs-esp-des-sha and nopfs-esp-des-md5

• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and

nopfs-esp-des-md5



• standard—g2-esp-3des-sha and g2-esp-aes128-sha

J Series Services Router AdvancedWANAccess Configuration Guide

• The example given in the “Configuring Full-Cone NAT” section in the J Series Services

Router AdvancedWAN Access Configuration Guide available at

http://www.juniper.net/techpubs/software/jseries/junos85/index.html is incorrect. The

correct and updated example is given in the J Series Services Router AdvancedWAN

Access Configuration Guide available at

http://www.juniper.net/techpubs/software/jseries/junos90/) .

J2320, J2350, J4350, and J6350 Services Router Getting Started Guide

• The “Connecting to the CLI Locally” section in the J2320, J2350, J4350, and J6350

Services Router Getting Started Guide states that the required adapter type is DB-9

female toDB-25male. This is incorrect; the correct adapter type isDB-9male toDB-25

male.

Junos OS Feature Support Reference for SRX Series and J Series Devices

• Junos OS Feature Support Reference for SRX Series and J Series Devices chapter 2

’Feature Support Tables’, row 1 of Table 50: Transparent Mode Support, incorrectly

states that bridge domain and transparentmode feature is not supported on SRX100,

SRX210,SRX220,SRX240,andSRX650devices.Bridgedomainand transparentmode

feature is supported on all the listed devices from Junos OS Release 11.1.

J-Web

• J-Web security package update Help page—The J-Web Security Package UpdateHelp page does not contain information about the download status.

• J-Web pages for stateless firewall filters—There is no documentation describing theJ-Web pages for stateless firewall filters. To find these pages in J-Web, go to

Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6Firewall Filters. After configuring the filters, select Assign to Interfaces to assign yourconfigured filters to interfaces.

• J-WebConfiguration Instructions—Becauseofongoing J-Web interfaceenhancements,

some of the J-Web configuration example instructions in the Junos administration and

configuration guides became obsolete and thus were removed. For examples that are

missing J-Web instructions, use the provided CLI instructions.

Junos OS Security Configuration Guide

• In Chapter 1, “Understanding Flow-Based Processing,” of the Junos OS Security

Configuration Guide a figure showed incorrect placement of static, destination, and

source NAT. The figure has been corrected in Junos OS Release 11.4.

• The Junos OS Security Configuration Guide incorrectly states that the release supports

security chains, which validate a certificate path upward through eight levels of CA

authorities in the PKI hierarchy. The release does not support security chains.


Errata and Changes in Documentation for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

http://www.juniper.net/techpubs/software/jseries/junos85/index.html

http://www.juniper.net/techpubs/software/jseries/junos90/

• The JunosOSSecurityConfigurationGuide incorrectly states that “ForSRXSeries chassis

clusters made up of SRX100,SRX210,SRX220,SRX240, or SRX650 devices, SFP

interfaces onMini-PIMs cannot be used as the fabric link”. However, the SFP interfaces

on Mini-PIMs can be used as the fabric link with the following limitation:

“Duringnode failover, sometimesprimarynodegoes todisabledstateand fabricprobes

are not received”.

Junos OSWLAN Configuration and Administration Guide

• This guide is missing information that the AX411 Access Point can bemanaged from

SRX100 and SRX110 devices.

Errata for the Junos OSHardware Documentation

This section lists outstanding issues with the hardware documentation.

AX411 Access Point Hardware Guide

• The AX411 Access Point Hardware Guide incorrectly documents themaximum number

of supported access points on the SRX Series devices. The document should state

that on the SRX210, SRX240, and SRX650 devices, you can configure andmanage up

to four access points (maximum).

• This guide is missing information that the AX411 Access Point can bemanaged from

SRX100 and SRX110 devices.

J Series Services Routers Hardware Guide

• In the J Series Services Routers Hardware Guide, the procedure “Installing a DRAM

Module” omits the following condition:

All DRAMmodules installed in the router must be the same size (in megabytes), type,

andmanufacturer. The routermightnotworkproperlywhenDRAMmodulesofdifferent

sizes, types, or manufacturer are installed.

• The J Series Services Routers Hardware Guide incorrectly states that only the J2350

Services Router complies with Network Equipment Building System (NEBS) criteria.

The document should state that the J2350, J4350, and J6350 routers comply with

NEBS criteria.

• The J Series Services Routers Hardware Guide is missing adding information about

100Base-LX connector support for 1-port and 6-port Gigabit Ethernet uPIMs.



SRX Series Services Gateways for the Branch Physical Interface Modules HardwareGuide

• In the “SRXSeriesServicesGateway InterfacesPowerandHeatRequirements” section,

the PIM Power Consumption Values table contains the power consumption value for

the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP)Mini-PIM value as 3:18

W.

Thecorrectpowerconsumptionvalue for the 1-portGigabitEthernetSmall Form-Factor

Pluggable (SFP) Mini-PIM is 4:4W.

SRX100 Services Gateway Hardware Guide

• In the “Connecting an SRX100 Services Gateway to the J-Web Interface” section, the

following information is missing in the note:

NOTE: Microsoft Internet Explorer version 6.0 is also supported asbackward compatible fromMicrosoft Internet Explorer version 7.0.


• In the “Connecting an SRX210 Services Gateway to the J-Web Interface” section, the




• In the “Connecting the SRX240 Services Gateway to the J-Web Interface” section, the



Quick Start Guides

• In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in

the wrong order. “Task 6: Connect the External Antenna” should appear before “Task

3: Check the 3G ExpressCard Status,” because the user needs to connect the antenna

before checking the status of the 3G ExpressCard. The correct order of the tasks is as

follows:

1. Install the 3G ExpressCard

2. Connect the External Antenna

3. Check the 3G ExpressCard Status


Errata and Changes in Documentation for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

4. Configure the 3G ExpressCard

5. Activate the 3G ExpressCard Options

• In the SRX210 Services Gateway 3G ExpressCard Quick Start, in “Task 6: Connect the

External Antenna,” the following sentence is incorrect and redundant: “The antenna

hasamagneticmount, so itmustbeplaced faraway fromradio frequencynoise sources

including network components.”

• In the SRX210 3G Quick Start Guide, in the “Frequently Asked Questions” section, the

answer to the following question contains an inaccurate and redundant statement:

Q: Is an antenna required? Howmuch does it cost?

A: The required antenna is packaged with the ExpressCard in the SRX210 Services

Gateway3GExpressCard kit at noadditional charge. Theantennawill have amagnetic

mount with ceiling and wall mount kits within the package.

In the answer, the sentence “The antennawill have amagneticmountwith ceiling and

wall mount kits within the package” is incorrect and redundant.

SRX210 Services Gateway Quick Start Guide

• Installing Software Packages—The SRX210 Services Gateway Hardware Guide is

missing the following information:

On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the

root partition). If Junos OS installation fails as a result of insufficient space:

1. Use the request system storage cleanup command to delete temporary files.

2. Delete any user-created files both in the root partition and under the /var hierarchy.




•



Upgrade andDowngrade Instructions for JunosOSRelease 11.4 for BranchSRXSeries ServicesGateways and J Series Services Routers

In order to upgrade to Junos OS Release 11.4 or later, your device must be running one of

the following Junos OS Releases:

• 9.1S1

• 9.2R4

• 9.3R3

• 9.4R3

• 9.5R1 or later



If your device is running an earlier release, upgrade to one of these releases and then to

the 11.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release

9.2R4 and then to Release 11.4.

For additional upgrade and download information, see the Junos OS Initial Configuration

Guide for Security Devices and the Junos OSMigration Guide.

• Upgrade and Downgrade Scripts for Address Book Configuration on page 177

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 179

• Hardware Requirements for Junos OS Release 11.4 for SRX Series Services Gateways


Upgrade and Downgrade Scripts for Address Book Configuration

Beginningwith JunosOSRelease 11.4, youcanconfigureaddressbooksunder the [security]

hierarchy and attach security zones to them (zone-attached configuration). In Junos OS

Release 11.1 and earlier, address books were defined under the [security zones] hierarchy

(zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached

configuration formatorunder the [securityzones]hierarchy inazone-definedconfiguration

format; the CLI displays an error and fails to commit the configuration if you configure

both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the

address book configuration formats (see Figure 1 on page 178).

• About Upgrade and Downgrade Scripts on page 177

• Running Upgrade and Downgrade Scripts on page 178

About Upgrade and Downgrade Scripts

After downloading Junos OS Release 11.4, you have the following options for configuring

the address book feature:

• Use the default address book configuration—You can configure address books using

the zone-defined configuration format, which is available by default. For information

on how to configure zone-defined address books, see the Junos OS Release 11.1

documentation.

• Usetheupgradescript—Youcan run theupgradescriptavailableon the JuniperNetworks

support site to configure address books using the new zone-attached configuration

format. When upgrading, the system uses the zone names to create address books.

For example, addresses in the trust zone are created in an address book named

trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules

remain unaffected.

After upgrading to the zone-attached address book configuration:

• You cannot configure address books using the zone-defined address book

configuration format; the CLI displays an error and fails to commit.

• You cannot configure address books using the J-Web interface.


Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

For information on how to configure zone-attached address books, see the Junos OS

Release 11.4 documentation.

• Use the downgrade script—After upgrading to the zone-attached configuration, if you

want to revert to the zone-defined configuration, use the downgrade script available

on the JuniperNetworks support site. For informationonhowtoconfigure zone-defined

address books, see the Junos OS Release 11.1 documentation.

NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.

Figure 1: Upgrade and Downgrade Scripts for Address Books

zone-attachedaddress bookconfiguration

Download Junos OSRelease 11.2 or later.

Run the upgrade script.

- Global address book isavailable by default.

- Address book is defined underthe security hierarchy.

- Zones need to be attachedto address books.

Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.

Run the downgrade script.

zone-definedaddress book

g030

699

Running Upgrade and Downgrade Scripts

The following restrictions apply to the address book upgrade and downgrade scripts:

• The scripts cannot run unless the configuration on your system has been committed.

Thus, if the zone-definedaddressbookandzone-attachedaddressbookconfigurations

are present on your system at the same time, the scripts will not run.

• The scripts cannot run when the global address book exists on your system.

• If you upgrade your device to Junos OS Release 11.4 and configure logical systems, the

master logical system retains any previously-configured zone-defined address book

configuration. Themaster administrator can run the address book upgrade script to



convert the existing zone-defined configuration to the zone-attached configuration.

Theupgradescript convertsall zone-definedconfigurations in themaster logical system

and user logical systems.

NOTE: You cannot run the downgrade script on logical systems.

For informationabout implementingandexecuting Junosoperation scripts, see the Junos

OS Configuration and Operations Automation Guide.

Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended

End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of

twoadjacent later EEOL releases. Youcanalsodowngradedirectly fromoneEEOL release

to one of two adjacent earlier EEOL releases.

For example, JunosOSReleases9.3, 10.0, and 10.4areall EEOL releases. Youcanupgrade

from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to

10.4, you first need toupgrade to JunosOSRelease9.3or 10.0, and thenupgradeasecond

time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0

or 9.3, and then perform a second downgrade to Release 8.5.

For upgrades and downgrades to or from a non-EEOL release, the current policy is that

you can upgrade and downgrade by nomore than three releases at a time. This policy

remains unchanged.



Hardware Requirements for Junos OS Release 11.4 for SRX Series ServicesGateways and J Series Services Routers

Transceiver Compatibility for SRX Series and J Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used

on SRX Series and J Series interface modules. Different transceiver types (long-range,

short-range, copper, andothers) canbeused togetheronmultiportSFP interfacemodules

as long as they are providedby JuniperNetworks.We cannot guarantee that the interface

module will operate correctly if third-party transceivers are used.

Please contact Juniper Networks for the correct transceiver part number for your device.

Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the systemmonitors the PIMs and verifies that the PIMs

fall within the power and heat dissipation capacity of the chassis. If powermanagement

is enabled and the capacity is exceeded, the system prevents one or more of the PIMs

from becoming active.




CAUTION: Disabling thepowermanagement can result in hardwaredamageif you overload the chassis capacities.

You can also use CLI commands to choose which PIMs are disabled. For details about

calculating the power and heat dissipation capacity of each PIM and for troubleshooting

procedures, see the J Series Services Routers Hardware Guide.

Supported Third-Party Hardware

The following third-party hardware is supported for use with J Series Services Routers

running Junos OS.

• USBModem

WerecommendusingaU.S.RoboticsUSB56KV.92Modem,model numberUSR5637.

• Storage Devices

TheUSBslots on JSeriesServicesRouters accept aUSBstoragedevice orUSBstorage

device adapter with a CompactFlash card installed, as defined in the CompactFlash

Specification published by the CompactFlash Association. When the USB device is

installedandconfigured, it automatically actsasasecondarybootdevice if theprimary

CompactFlash card fails on startup. Depending on the size of the USB storage device,

you can also configure it to receive any core files generated during a router failure. The

USB device must have a storage capacity of at least 256 MB.

Table 14 on page 180 lists the USB and CompactFlash card devices supported for use

with the J Series Services Routers.

Table 14: Supported Storage Devices on the J Series Services Routers

Third-Party Part NumberStorage CapacityManufacturer

SDCZ2-256-A10256MBSanDisk—Cruzer Mini 2.0

SDCZ3-512-A10512 MBSanDisk

SDCZ7-1024-A101024 MBSanDisk

DTI/512KR512 MBKingston

DTI/1GBKR1024 MBKingston

SDDR-91-A15N/ASanDisk—ImageMate USB 2.0Reader/Writer for CompactFlash Type Iand II

SDCFB-512-455512 MBSanDisk CompactFlash

SDCFB-1000.A101 GBSanDisk CompactFlash



J Series CompactFlash andMemory Requirements

Table 15 on page 181 lists the CompactFlash card and DRAM requirements for J Series

Services Routers.

Table 15: J Series CompactFlash Card and DRAMRequirements

MaximumDRAMSupported

MinimumDRAMRequired

MinimumCompactFlashCard RequiredModel

1 GB1 GB1 GBJ2320

1 GB1 GB1 GBJ2350

2 GB1 GB1 GBJ4350

2 GB1 GB1 GBJ6350




•







Junos OS Release Notes for High-End SRX Series Services Gateways

Powered by JunosOS, Juniper Networks high-end SRXSeries Services Gateways provide

robust networking and security services. They are designed to secure enterprise

infrastructure, datacenters, andserver farms.Thehigh-endSRXSeriesServicesGateways

include the SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

• New Features in Junos OS Release 11.4 for High-End SRX Series Services

Gateways on page 182

• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX

Series Services Gateways on page 195

• Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services


• Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services


• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services


• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX


• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forHigh-EndSRXSeries

Services Gateways on page 223

New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways

The following features have been added to Junos OS Release 11.4. Following the

description is the title of the manual or manuals to consult for further information.

NOTE: For the latest updates about support and issues on Junos Pulse, seethe Junos Pulse Release Notes athttp://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/

pathway-pages/junos-pulse/index.html .

• Software Features on page 183





Software Features

AppSecure

• Application-aware quality of service (AppQoS )—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

AppQoS, the application-aware quality-of-service module in AppSecure, provides a

mechanism for prioritizing traffic utilizing the results of the Application Identification

Engine. AppQoS provides application-level traffic control for administrators needing

to ensure that business critical applications get preferential treatment.

AppQoS enables the network administrator to meter, mark, and honor traffic priority

based on application policies. It provides application-aware DSCPmarking by

implementingLayer-7application-basedDSCP rewriters. Toapplydifferent losspriority

levels todifferent traffic groups, Layer 2- to Layer4-basedhonoringhasbeenexpanded

to Layer 7. AppQoS accomplishes application-aware rate limiting by setting the

bandwidth limit and burst size limit for different applications.


• Application groups—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

SRX Series devices allow consolidation of applications under a single group name.

Predefined application groups are downloaded as part of the application signature

database. User-defined groups can be created and deleted.


• Applicationgroupsupport forapplicationfirewall (AppFW)—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

SRXSeriesdevicesallowyou to configureapplication firewall policies usingapplication

group names. Application group names provide simplified, consistent reuse when

defining application firewall policies.


• Application signaturemanagement and usability enhancements—This feature issupported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

JuniperNetworksprovides improvements in theusabilityandmanagementofpredefined

application signatures available through the Junos OS application signature package

subscription service.

• Previously, predefined application signature updateswere downloaded to the Junos

OS configuration file, resulting in an unnecessarily large file. To improve usability,

application signature updates are now downloaded and installed in a separate

application signature database on SRX1400, SRX3400, SRX3600, SRX5600, and

SRX5800 devices.

• Using CLI commands, users canmanage predefined and custom application

signatures and application signature groups, as follows:

• View detailed and summary information.



• Copy, disable, andenablepredefinedapplication signatures formaximumflexibility

in the use and reuse of predefined application signatures and custom application

signatures.

• Createcustomapplicationsignaturesbycopyingapredefinedapplicationsignature

and using it as a template.

• CLI servicesapplication-identificationcommandsprovidemoreoptions for thedisplay

andconfigurationof customapplication signaturesandapplication signaturegroups.

• A new option insert-before customer-signature-name has been added to allow you

to move a custom application signature before a specific predefined application

signature or another custom application signature.



• Nested application identification enhancement—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

New application identification contexts have been added for more extensive nested

application matching.

Several new HTTP contexts have been added for application detection:

• http-get-url-parsed-param-parsed

• http-post-url-parsed-param-parsed

• http-post-variable-parsed

• http-header-user-agent

• http-header-cookie

AnSSL context is nowsupported that identifies a server name in a client or server hello

message.

• ssl-server-name


• Onbox application tracking statistics for AppTrack—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

This feature adds application-level statistics to the AppSecure suite. Application

statistics allow an administrator to access cumulative statistics as well as statistics

accumulated over user-defined intervals. The administrator can clear the statistics

and configure the interval values.

Bytes and session count statistics aremaintained. Because the statistics count occurs

at AppTrack session close event time, the byte and session counts are not updated

until the session closes.

SRX Series devices support a history of 8 intervals that an administrator can use to

display the application session and byte counts.




Flow and Processing

• Central point session scaling—This feature is supported on SRX5800 devices only.

The central point was optimized to increase the total number of central point sessions

to 20million IPv4 sessions or 10million IPv6 sessions. This optimization trades

maximum attainable connections per second (CPS) for maximum number of central

point sessions.


• Globalpolicy—This feature is supportedonSRX1400,SRX3400,SRX3600,SRX5600,and SRX5800 devices.

Unlike other security policies, global policies do not reference specific source and

destination zones (from-zoneand to-zone).Global policies allowyou to regulate traffic

with addresses and applications, regardless of their security zones. Global policies

reference user-defined addresses or the predefined address “any.” These addresses

can spanmultiple security zones.


• Services offloading—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Services offloading is a mechanism for processing fast-path packets in the network

processor instead of in the Services Processing Unit (SPU). This method reduces the

long packet processing latency that arises when packets are forwarded from network

processors to SPUs for processing and back to I/O cards (IOCs) for transmission.

Services offloading considerably reduces packet processing latency by 500–600

percent.

When the first packet arrives at the interface, the network processor forwards it to the

SPU. If the SPU verifies that the traffic is qualified for services offloading, a

services-offload session is created on the network processor. If the traffic does not

qualify for services offloading, a normal session is created on the network processor.

If a services-offloadsession is created, the subsequent fast-pathpacketsareprocessed

in the network processor itself.

NOTE: A normal session forwards packets from the network processor totheSPUfor fast-pathprocessing,whileaservices-offloadsessionprocessesfast-path packets in the network processor and the packets exit out of thenetwork processor itself.

When a services-offload session is created on the network processor, subsequent

packets are matched with the session. The network processor then processes and

forwards the packets based on the session information, such as TCP sequence check,

time to live (TTL) processing, Network Address Translation (NAT), and Layer 2 header

translation.




General Packet Radio Service (GPRS)

• GPRS tunneling protocol version 2 (GTPv2)—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

GPRS tunneling protocol (GTP) establishes a GTP tunnel between a Serving GPRS

Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) for individual

Mobile Stations (MS). Both GTP version 0 (GTPv0) and GTP version 1 (GTPv1) are

implemented using SGSNs and GGSNs only. However, in GTPv2 the traditional SGSNs

and GGSNs are replaced by three logical nodes—a serving gateway (SGW), a packet

data network gateway (PGW), and amobility management entity (MME).

You can enable GTPv2 by using the following CLI configuration statement:

set security gprs gtp enable

After configuring theabovestatement, youmust reboot thedevice forGTPv2 inspection

to take effect. To disable GTPv2, delete the security gprs gtp enable configuration

statement from the device.

NOTE: All GTPv2 features are supported on the device only if the security

gprs gtp enable command is configured on the device.

You can use the show security gprs gtp tunnels operational mode command to display

details about the existing GTPv2 tunnels configured on the device.

NOTE: IPv6 GTPv2 and GTPv2 for logical systems are not supported inJunos OS Release 11.4.


Intrusion Detection and Prevention (IDP) and AppSecure

• IDPandapplication identificationsupport for jumboframes—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The Intrusion Detection and Prevention (IDP) and application identification security

features support the larger jumbo frame size of 9192 bytes. Although jumbo frames

are enabled by default, you can adjust the maximum transmission unit (MTU) size by

using the set interfaces command.

For logging purposes, the total number of packets captured relative to an IDP attack

will decrease due to the larger packet size in a jumbo frame. The default value is five

packets before and five packets after the packet on which an IDP attack is identified.



NOTE: Although CPU overhead can be reduced while processing jumboframes, the IDP feature itself requires aminimum of 5MB ofmemory forsession inspection. If the requiredmemory is not available, IDP will notinspect the applicable sessions. You can view IDP data planememory byusing the show security idpmemory command.



• IDP attack description—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices for both J-Web and the CLI.

The IDP attack description feature enables users to use the CLI to learn more about

IDP attack objects. Currently, users view IDP attack objects in the

/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for

users to investigate andmanage IDP attack objects. Users can quickly and easily

administer IDP attack objects when the details are displayed through the CLI.

You can use the show security idp attack description and the show security idp attack

detail operational mode commands to display details about IDP attack objects.

[Junos OS CLI Reference]

IPv6 Support

• JunosOSapplication identifiction—This feature is supported onSRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.

Application firewall was previously supported in the IPv4 environment. Beginningwith

Junos OS Release 11.4, it is also supported on IPv6.

SRX Series devices provide additional security protection against known dynamic

applications that can send traffic thatmight not be adequately controlled by standard

network firewall policies. The application firewall functionality enforces policies based

on the results of the application identification process. The application identification

process identifiesapplicationsusingpatternmatching,protocoldecoding,andheuristics.

To implement application firewall support:

• Network security policy–Modify the policy configuration to support the application

firewall rule set within the existing configuration.

• Application firewall rule set–Define an application firewall rule set to be referenced

by the network security policy.


• Web authentication—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Web authentication now supports IPv6 addresses.




• Firewall authentication—This feature is supportedonSRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Firewall authentication now supports IPv6 addresses.


J-Web

• Customer branding of firewall authentication webpage—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

JuniperNetworksenables theadministrator to replace theembedded JuniperNetworks

logo present on the firewall authentication webpage with a customer graphic. It also

provides the ability to create a different logo for different logical systems.

• AppQoSmonitoring—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices

A new Application QoSMonitoring J-Web page allows you to view counters and

statistics for AppQoS activity. The rate limiters statistics pane displays transfer rate

information for recent traffic per PIC. The rules statistics pane displays the amount of

traffic on each PIC broken down by the rule set and rule applied to each session.

Counters for selected rule-sets display AppQoS session activity per PIC.

• IDPmonitoring—This feature issupportedonSRX1400,SRX3400,SRX3600,SRX5600,and SRX5800 Services Gateways.


• Attacks Monitoring page

• Applications Monitoring page

• IDPperformance inJ-Web—IDPperformance in J-Webhasbeen improved forSRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Logical Systems

• The logical systems feature isnowsupportedonSRX1400devices inaddition toexisting

support on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

[Junos OS Logical Systems Configuration Guide for Security Devices]

• J-Webuserand interconnect logical systemsconfiguration—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

When you are logged in to the device as the master administrator, you can configure

logical systems on the Logical System Configuration page. The Logical System

Information page displays information about the logical systems configured on the

device.

When you are logged in to the device as a user logical system administrator, the

following tabs are available to you:

• Dashboard tab—Displays the resources allocated to the logical system.



• Configure tab—Allows you to configure interfaces, NAT, and security features for

the user logical system.

• Monitor tab—Allowsyou tomonitor theconfigured featuresof theuser logical system.

• CPUusage allocation and control—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.

In Junos OS Release 11.4, the master administrator can configure and control CPU

utilizationby logical systems. Themaster administrator enablesCPUutilization control

with the cpu-control configuration statement at the [edit system security-profile

resources] hierarchy level.

When CPU utilization control is enabled, the master administrator can configure the

following CPU utilization parameters:

• Reserved quota of CPU utilization, in percent, is specified for each logical system.

The reserved quota guarantees that a specified percentage of the CPU is always

available to the logical system. Themaster administrator specifies the reservedCPU

quota in a logical system security profile with the cpu reserved configuration

statement at the [edit system security-profiles profile-name] hierarchy level. The

security profile is applied to one or more logical systems.

If CPU control is enabled and reserved CPU quotas are not configured, the default

reserved quota for the master logical system is 1 percent and the default reserved

quota for user logical systems is 0 percent.

• CPU control target is the upper limit, in percent, for CPU utilization under normal

operating conditions. If the overall CPU utilization surpasses the configured target

value, the Junos OS software initiates controls to bring CPU utilization between the

target value and 90 percent of the target value. During runtime, CPU utilization by

each logical system is measured every two seconds. Dropping packets is used to

reduce the CPU usage for a particular logical system. If the CPU usage of a logical

systemexceeds its quota, CPU utilization control drops the packets received on that

logical system. The packet rate is calculated every two seconds based on CPU

utilization of all logical systems.

Themaster administrator configures the CPU control target with the

cpu-control-target configuration statement at the [edit system security-profile

resources] hierarchy level. The default CPU control target is 80 percent.

The sum of the reserved CPU quotas for all logical systems on the devicemust be less

than 90 percent of the CPU control target; the difference is a shared CPU resource

that can be allocated among the logical systems that need additional CPU allocation.

The actual CPU quota that a single logical system can use is the sum of its reserved

CPU quota and its portion of the shared CPU resource.


• VPN tunnel—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600,and SRX5800 devices.

This feature allows themaster logical systemand a user logical system to share a VPN

tunnel in a route-basedVPN. Themaster administratormust assign the security tunnel



(st0) interface to a user logical system. Themaster administrator configures IKE and

IPsecSAparametersat the root level. Theuser logical systemadministrator canchange

theattributesof the st0 interface. To send traffic into the tunnel, theuser logical system

administrator configures a security policy to permit traffic to a remote destination and

a route with the st0 as the next hop.

NOTE: Only route-based VPNs are supported for logical systems.Policy-based VPNs are not supported.

Themaster administrator assigns an st0 interface to a user logical systemwith the

st0 unit number configuration statement at the [edit logical-systems name interfaces]

hierarchy level. Themaster administrator configures IKEand IPsec in themaster logical

systemwith the VPN configuration at the [edit security ipsec] hierarchy level. VPN

monitoring can be configured by the master administrator at the root level. For the

VPNmonitor source interface, themaster administratormust specify the st0 interface;

a physical interface for a user logical system cannot be specified.

The user logical system administrator can set attributes for the st0 interface, such as

an IP address, at the [edit interfaces st0 unit number] hierarchy level. The user logical

systemadministratorconfiguressecuritypolicieswith thepolicyconfigurationstatement

at the [edit security policies from-zone zone to-zone zone] hierarchy level and static

routes with the static route configuration statement at the [edit routing-options]

hierarchy level.


• IDP—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, andSRX5800 devices.

This feature allows themaster administrator to configure IDP policies for user logical

systems. Themaster administrator can create one or more IDP policies at the root

level using intrusion prevention system (IPS) or application-level distributed

denial-of-service (DDoS) rulebases. Themaster administrator specifies the IDP policy

in a logical system security profile that is bound to one or more user logical systems.

NOTE: In JunosOSRelease 11.4, user logical systemadministrators cannotcreate ormodify IDPpolicies for their user logical systems.Only themasteradministrator can create IDP policies.

Asingle IDPsecuritypackage is installedon thedevice for all logical systems.An idp-sig

license must be installed at the root level.

Themaster administrator configures an IDP policy at the root level using the idp-policy

configuration statement at the [edit security idp] hierarchy level. To specify the IDP

policy in a logical system security profile, the master administrator uses the idp-policy

configuration statement at the [edit system security-profile profile-name] hierarchy

level.




• IPv6 addresses in logical systems—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.

In Junos OS Release 11.4, IPv6 addresses can be configured in logical systems for the

following features:

• Interfaces

• Flows

• Zones and security policies

• Screen options

• Network address translation (except for interface NAT)

• Administrative operations with telnet, ssh, https, and other utilities

• Chassis clusters


• Logical system name in security logs—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Security logs are system logmessages that include security events. If a device is

configured for logical systems, security logs generated within the context of a logical

system use the name logname_LS (for example, IDP_ATTACK_LOG_EVENT_LS). The

logical system version of a log has the same set of attributes as the log for devices that

are not configured for logical systems, but it also includes logical-system-name as the

first attribute. If a device is configured for logical systems, log parsing scripts might

need to bemodified because the log name includes the _LS suffix and the

logical-system-name attribute can be used to segregate logs by logical system.

If a device is not configured for logical systems, the security logs remain unchanged

and scripts built to parse logs do not need anymodification.

NOTE: Only themaster administrator can configure logging at the [edit

security log] hierarchy level. User logical system administrators cannot

configure logging for their logical systems.


• Data path debugging for traffic between logical systems—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Datapathdebuggingprovides tracinganddebuggingatmultipleprocessingunits along

the packet-processing path. Data path debugging can also be performed on traffic

between logical systems. Only the master administrator can configure data path

debugging for logical systems at the [edit security datapath-debug] hierarchy level.

User logical system administrators cannot configure data path debugging for their

logical systems.



When tracing is configured for the jexec event type, the trace output contains logical

system information. Themaster administrator can also configure tracing for traffic

between logical systems by specifying the lt-enter and lt-leave event types. The trace

output shows traffic entering and leaving the logical tunnel between logical systems.

The preserve-trace-order option can be configured to sort the output chronologically.

Inaddition to the traceaction, otheractionssuchaspacket-dumpandpacket-summary

can be configured for the lt-enter and lt-leave events.


• Multicast traffic—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Multicast is a “one source, many destinations” method of traffic distribution, meaning

that thedestinationsneeding to receive the information fromaparticular source receive

the traffic stream. In Junos OS Release 11.4, the master and user logical system

administrators can configure a logical system to support multicast applications. The

samemulticast configurations to configure a device as a node in a multicast network

can be used in a logical system.

[Junos OS Routing Protocols and Policies Configuration Guide for Security Devices]

• Application firewall support on logical systems—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The Juniper Networks application firewall enables administrators of logical systems

tocreate security policies for traffic basedon the results of theapplication identification

engine. The application firewall policy provides additional security protection against

dynamic application traffic that might not be adequately controlled by standard

network firewall policies.

Configuring an application firewall policy on a logical system is the same process as

configuring an application firewall policy on a device that is not configuredwith logical

systems. However, the application firewall policy applies only to the logical system for

which it is configured. Themaster administrator can configure, enable, andmonitor

application firewall policies on themaster logical system and all user logical systems

on a device. The user logical systemadministrators can configure, enable, andmonitor

an application firewall policy only on the user logical systems for which they have

access.

To implement this feature:

• Network security policy—Themaster administrator defines a security profile and

allocates a number of system resources for use by logical systems on the device. In

this case, the application firewall resources (appfw-rule-set and appfw-rule) are

added to the security profile, and the security profile is bound to a logical system.

Themasteradministratoranduser logical systemadministratorsadd theapplication

firewall configuration to the security policy for their respective logical systems.

• Application firewall—Themasteradministratoranduser logical systemadministrators

configure andmanage application firewall rule sets and rules for their respective

logical systems.





• Configurable capacity for source NAT pools with PAT—On SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices, the capacity of source NAT pools and IP

addresses has been increased to supportmore users.When Port Address Translations

(PAT) are set for each IP address, automatic checks ensure memory limits are not

exceeded.

[Junos OS Security Configuration Guide, Junos OS CLI Reference]

Security

• GTP IE removal—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Themultiple versions of the Third-Generation Partnership Project (3GPP) create

interoperabilityproblems in themobilenetwork. JunosOSRelease 11.4 supports removal

of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows

you to retain interoperability.


• Aggressivesessionaging—This feature is supportedonSRX1400,SRX3400,SRX3600,SRX5600, and SRX5800 devices.

The aggressive session aging mechanism accelerates the session timeout process

when the number of sessions in the session table exceeds a specified high-watermark

threshold.Thisminimizes the likelihoodof theSRXSeriesdevices rejectingnewsessions

when the session table is full.


• EZchip low latency—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.

Thehigh-endSRXSeriesdevicescurrentlyhave longpacket-processing latencybecause

of packet processing through the Services Processing Unit (SPU) and through several

stages of buffers in the data path.

This feature introduces a local forwarding solution where the fast-path packets are

processedby theEZchip on the I/OCard (IOC),without going through the switch fabric

or the SPU. This solution reduces latency. The user needs to have a permanent

low-latency firewall license to enable this feature on the chassis.


• Security policies for self-traffic—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.

Users can now configure security policies for the self-traffic (the host inbound traffic

or the host outbound traffic) of the device. The user can further apply relevant services

to the new self-traffic policy.

The security policies for the self-traffic are configured under the new default security

zone called junos-host zone.




VPN

• Internet Key Exchange version 2(IKEv2)—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

IKEv2 is the next-generation standard for secure key exchange between peer devices,

defined in RFC 4306. IKEv2 is available in Junos OS Release 11.4, for securing IPsec

traffic. The initial release does not support all the capabilities described in the RFCs.

The advantages of using version 2 over version 1 are as follows;

• Simplifies the existing IKEv1

• Single RFC, including NAT-T, EAP and remote address acquisition

• Replaces the 8 initial exchanges with a single 4-message exchange

• Reduces the latency for the IPsec SA setup and increases connection establishment

speed

• Increases robustness against DoS attack

• Improves reliability through the use of sequence numbers, acknowledgements, and

error correction

• Provides forward compatibility

• Provides simple cryptographic mechanisms

IKEv2 includes support for:

• Route-based VPN

• Site-to-site VPN

• Dead peer detection (liveness check)

• Chassis cluster

• Certificate-based authentication

• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange

• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist

without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if

the child SAs are currently active, the corresponding IKE SA will be rekeyed.

• IKE version 1 and IKE version 2


• Site-to-siteVPNsupport forNAT-T—This feature is supportedonSRX1400,SRX3400,SRX3600, SRX5600, and SRX5800 devices.

Site-to-site IKE gateway configuration for Network Address Translation-Traversal

(NAT-T) is now supported on the server side (IKE responder). This is in addition to the

current implementation of NAT-T support for dynamic IKE gateway configuration. A



remote-identity value is used to validate apeer’s ike-idor idduringPhase 1 of IKE tunnel

negotiation.


SNMP

• Juniper Networks enterprise-specific LicenseMIB—This feature is supported onSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices.This featureextends

SNMP support for licensing information.

The enterprise-specific License MIB:

• Contains information about license features and the expiration details to reduce the

burden involved in managing licenses.

• Generates traps to alert users. For example, an alert is generated when a license

expires or when the total number of users exceeds the maximum number specified

in the license.

• Provides access to license-related information through the SNMP get and get-nextoperations.

[JunosOSSNMPMIBs and Traps Reference;MIB Reference for SRX1400, SRX3400, and

SRX3600 Services Gateways;MIB Reference for SRX5600 and SRX5800 Services

Gateways]


Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways

on page 212

•

• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways

on page 217





• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways

on page 198

Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX SeriesServices Gateways

The following current system behavior, configuration statement usage, and operational

mode command usagemight not yet be documented in the Junos OS documentation:


Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX Series Services Gateways

AppSecure Application Package Upgrade Changes

• Application signatures removed after upgrading to Junos OS Release 11.4—Thischange applies to SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices

that use the application identification signature package.

In JunosOSRelease 11.4, theapplication signaturepackage isdownloadedand installed

in a separate database, not in the Junos OS configuration file as in previous Junos OS

releases.

When you upgrade an SRX Series device from Junos OS Release 11.2 to Junos OS

Release 11.4, any predefined application signatures and signature groups from the

Junos OS Release 11.2 configuration will be removed when you install the latest

predefined signatures and signature groups by using the request servicesapplication-identification install command. However, the upgrade will not removecustom signatures and signature groups from the Junos OS configuration.

For informationaboutusing the requestservicesapplication-identificationdownloadand request services application-identification install commands, see the Junos OSCLI Reference.

General Packet Radio Service (GPRS)

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices in active/active

chassis cluster mode with GPRS enabled, the seq-number-validated command is

disabled in GTP profile and nomore available for configuration.


• OnSRX3400,SRX3600,SRX5600,andSRX5800devices, foradynamicattackgroup

using the direction filter, the expression AND should be used in the exclude values. As

is the case with all filters, the default expression is OR. However, there is a choice of

AND in the case of the direction filter.

For example, if you want to choose all attacks with the direction client-to-server,

configure the direction filter using the set security idp dynamic-attack-groupdyn1 filters

direction values client-to-server command.

In the case of chain attacks, each of the multiple members has its own direction. If a

policy includes chain attacks, a client-to-server filter selects all chain attacks that have

any member with client-to-server as the direction. This means chain attacks that

includememberswith server-to-client or ANY as the direction are selected if the chain

has at least onemember with client-to-server as the direction.

To prevent these chain attacks from being added to the policy, configure the dynamic

group as follows:

• set security idp dynamic-attack-group dyn1 filters direction expression and

• set security idp dynamic-attack-group dyn1 filters direction values client-to-server



• set security idp dynamic-attack-group dyn1 filters direction values

exclude-server-to-client

• set security idp dynamic-attack-group dyn1 filters direction values exclude-any

IPv6

• Onall SRXand JSeriesdevices, anewconfigurationoption for IPv6NeighborDiscovery

Protocol (NDP) is added. This option will prevent the device from responding to a

Neighbor Solicitation (NS) from a prefix which was not included as one of the device

interface prefixes.

The new command is:

set protocol neighbor-discovery onlink-subnet-only

NOTE: The Routing Engine needs to be rebooted after setting this optionto remove any possibility of a previous IPv6 entry from remaining in theforwarding-table.

Management Information Base (MIB)

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in a chassis

cluster environment, the calculation of the primary and secondary node sessions in

the JnxJsSPUMonitoringObjectsTable object of the SPUmonitoring MIB is incorrectbecause the MIB jnxJsSPUMonitoringCurrentTotalSession incorrectly displays totalsessions. A doubled session count is displayed because the active and backup nodes

are treated as separate sessions, although they are not.

Count only the session numbers on the local node, thereby avoiding a double count,

and local total sessions are displayed.

In a chassis cluster environment, the SPUMonitoringCurrentTotalSession object ofthe MIB adds information per each SPU from the local node.

[MIB Reference for SRX1400, SRX3400, and SRX3600 Services Gateways;MIB Reference

for SRX5600 and SRX5800 Services Gateways]


Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX Series Services Gateways

Multicast

• OnSRX1400, SRX3400, SRX3600, SRX5600andSRX5800devices, if themaximum

number of leaves on amulticast distribution tree is exceeded, multicast sessions are

created up to themaximumnumber of leaves, and anymulticast sessions that exceed

themaximum number of leaves are ignored. In previous releases, no multicast traffic

was forwarded if the maximum number of leaves on themulticast distribution tree

was exceeded. Themaximum number of leaves on amulticast distribution tree is

device specific.

Security

• Public key infrastructure (PKI) objects include certificates, key pairs, and certificate

revocation lists (CRLs). PKI objects are read from the PKI database when the PKI

daemon (PKID) starts. The PKID database loads all certificates into memory at boot

time.

When an object is read into memory from the PKI database, the following new log

message is created:

PKID_PV_OBJECT_READ: A PKI object was read intomemory from <location>


New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on

page 182

•

• Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways

on page 212


on page 217




on page 198

Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways

AppSecure

• When you create custom application or nested application signatures for Junos OS

application identification, the order value must be unique among all predefined and

custom application signatures. The order value determines the application matching

priority of the application signature.

The order value is set with the set services application-identification application

application-name signature order command. You can also view all signature order

valuesbyentering the showservicesapplication-identification |displayset |matchorder

command. You will need to change the order number of the custom signature if it

conflicts with another application signature.

• J-Web pages for AppSecure are preliminary.



• Custom application signatures and custom nested application signatures are not

currently supported by J-Web.

• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not

applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW

counters.

Chassis Cluster

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, only

four QoS queues are supported per reth/ae interface.

• In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to

increase the wait time before triggering failover. In a full-capacity implementation, we

recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and

heartbeat-interval values in the [edit chassis cluster] hierarchy.

The product of the heartbeat-threshold and heartbeat-interval values defines the time

before failover. The default values (heartbeat-threshold of 3 beats and

heartbeat-interval of 1000milliseconds) produce a wait time of 3 seconds.

To change the wait time, modify the option values so that the product equals the

desired setting. For example, setting the heartbeat-threshold to 8 andmaintaining the

default value for the heartbeat-interval (1000milliseconds) yields a wait time of

8 seconds. Likewise, setting the heartbeat-threshold to 4 and the heartbeat-interval to

2000milliseconds also yields a wait time of 8 seconds.

• Packet-based forwarding forMPLSand InternationalOrganization for Standardization

(ISO) protocol familes is not supported.

• On SRX Series devices, only two of the 10 ports on each PIC of 40-port 1-Gigabit

Ethernet I/O cards (IOCs) for SRX5600 and SRX5800 devices can simultaneously

enable IP addressmonitoring. Because there are four PICs per IOC, this permits a total

of eight ports per IOC to bemonitored. If more than two ports per PIC on 40-port

1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will

succeed but a log entry will be generated, and the accuracy and stability of IP address

monitoring cannot be ensured. This limitation does not apply to any other IOCs or

devices.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IP address

monitoring is not permitted on redundant Ethernet interface link aggregation groups

(LAGs) or on child interfaces of redundant Ethernet interface LAGs.

• OnSRX1400, SRX3000 andSRX5000 line chassis clusters, screen statistics data can

be gathered on the primary device only.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, ISSU does not

support version downgrading.

• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, only redundant

Ethernet interfaces (reth) are supported for IKE external interface configuration in

IPsec VPN. Other interface types can be configured, but IPsec VPNmight not work.



Dynamic Host Configuration Protocol (DHCP)

• SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices do not support

DHCPv6 client authentication.

Dynamic VPN

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, DH-group 14 is

not supported for dynamic VPN.

Flow and Processing

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when

packet-logging functionality is configured with an improved pre-attack configuration

parameter value, the resource usage increases proportionally andmight affect the

performance.

• Services offloading has the following limitations on SRX1400, SRX3400, SRX3600,

SRX5600, and SRX5800 devices:

• Transparent mode is not supported. If transparent mode is configured, a normal

session is installed.

• Link aggregation group (LAG) is not supported. If a LAG is configured, a normal

session is installed.

• Only multicast sessions with one fan-out are supported. If a multicast session with

more than one fan-out exists, a normal session is installed.

• Only active/passive chassis cluster (HA) configuration is supported. Active/active

chassis cluster configuration is not supported.

• Fragmentedpacketsarenot supported. If fragmentedpacketsexist, anormal session

is installed.

• Ingress and egress interfaces on different network processors are not supported. If

an ingress interface and the related egress interface do not belong to the same

network processor, a normal session is installed on the network processor.

• IP version6 (IPv6) is not supported. If IPv6 is configured, a normal session is installed.

NOTE: A normal session forwards packets from the network processor tothe Services Processing Unit (SPU) for fast-path processing, while aservices-offload session processes fast-path packets in the networkprocessor and the packets exit out of the network processor itself.

• OnSRX3400,SRX3600,SRX5600, andSRX5800devices, thedefault authentication

table capacity is 45,000; the administrator can increase the capacity to amaximum

of 50,000.



• On SRX1400 devices, the default authentication table capacity is 10,000; the

administrator can increase the capacity to amaximum of 15,000.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when devices

are operating in flowmode, the Routing Engine side cannot detect the pathmaximum

transmission unit (PMTU) of an IPv6multicast address (with a large size packet).

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, you cannot

configure route policies and route patterns in the same dial plan.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, high CPU

utilization triggered for reasons such as CPU intensive commands and SNMPwalks

causes the Bidirectional Forwarding Detection protocol (BFD) to flapwhile processing

large BGP updates.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading

is not supported in low-impact ISSU chassis cluster upgrades (LICU).

• On SRX5800 devices, network processing bundling is not supported in Layer 2

transparent mode.

Hardware

This section covers filter and policing limitations.

• On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported

by a simple filter:

• Forwarding class as match condition

• OnSRX1400,SRX3400andSRX3600devices, the following featuresarenotsupported

by a policer or a three-color-policer:

• Color-aware mode of a three-color-policer

• Filter-specific policer

• Forwarding class as action of a policer

• Logical interface policer

• Logical interface three-color policer

• Logical interface bandwidth policer

• Packet loss priority as action of a policer

• Packet loss priority as action of a three-color-policer

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following

features are not supported by a firewall filter:

• Policer action

• Egress filter-based forwarding (FBF)

• Forwarding table filter (FTF)



• Egress filter-based forwarding (FBF) within the same zone over IP-IP and generic

routing encapsulation (GRE) tunnel is not supported.

• If egress FBF redirects a packet to a zone that is different from the original obtained

from the previous route lookup and flow processing, then the packet is dropped.

• SRX3400 and SRX3600 devices have the following limitations of a simple filter:

• Forwarding class as match condition

• In the packet processor on an IOC, up to 100 logical interfaces can be applied with

simple filters.

• In thepacket processor onan IOC, themaximumnumber of termsof all simple filters

is 4000.

• In the packet processor on an IOC, the maximum number of policers is 4000.

• In the packet processor on an IOC, the maximum number of three-color-policers is

2000.

• Themaximum burst size of a policer or three-color-policer is 16 MB.

• OnSRX3400andSRX3600devices, when you enable themonitor traffic option using

themonitor traffic command tomonitor the FXP interface traffic, interface bounce

occurs. Youmust use themonitor traffic interface fxp0 no-promiscuous command to

avoid the issue.


• OnSRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set

routing-options flow CLI statements are no longer available, because BGP flow spec

functionality is not supported on these devices.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link

Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.

• On SRX1400, SRX3400, SRX3600, SRX5600 and SRX5800 devices, BGP-based

virtual private LAN service (VPLS) over aggregated Ethernet (ae) interfaces is not

supported. It works on child ports and physical interfaces.

Internet Key Exchange Version 2 (IKEv2)

On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKEv2 does not

include support for:

• Policy-based tunnels

• Dial-up tunnels


• VPNmonitoring



• Next-Hop Tunnel Binding (NHTP) for st0—Reusing the same tunnel interface for

multiple tunnels

• Extensible Authentication Protocol (EAP)

• IPv6

• Multiple child SAs for the same traffic selectors for each QoS value

• Proposal enhancement features

• Reuse of Diffie-Hellman (DH) exponentials

• Configuration payloads

• IP Payload Compression Protocol (IPComp)

• Dynamic Endpoint (DEP)


• On SRX3400, SR3600, SRX5600, and SRX5800 devices, from Junos OS Release 11.2

and later, the IDP security package is based on the Berkeley database. Hence, when

the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2

or later, a migration of IDP security package files needs to be performed. This is done

automatically on upgradewhen the IDP daemon comes up. Similarly, when the image

is downgraded, a migration (secDb install) is automatically performed when the IDP

daemon comes up, and previously installed database files get deleted. However,

migration is dependent on the XML files for the installed database to be present on

the device. For first-time installation, full update files are required. If the last update

on the devicewas an incremental update,migrationmight fail. In such a case, you have

to manually download and install the IDP security package using the download or

install CLI command before using the IDP configuration with predefined attacks or

groups.

Workaround: Use the CLI command request security idp security-package download

full-update to manually download the individual components of the security package

from the Juniper Security Engineering portal before upgrading or downgrading the

image in the previous case.

• OnSRX1400, SRX3400, SRX3600, SRX5600, andSRX5800devices, the IDP policies

for each user logical system are compiled together and stored on the data plane

memory. To estimate adequate data planememory for a configuration, consider these

two factors:






database increases.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, ingress as

ge-0/0/2 and egress as ge-0/0/2.100 works with flow showing both source and

destination interface as ge-0/0/2.100.



• IDP does not allow header checks for nonpacket contexts.

• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, application-level

distributed denial-of-service (application-level DDoS) detection does not work if two

ruleswithdifferentapplication-levelDDoSapplicationsprocess traffic going toasingle

destination application server. When setting up application-level DDoS rules, make

sure that you do not configure rulebase-ddos rules that have two different

application-ddosobjectswhen the trafficdestined tooneapplicationserver canprocess

more than one rule. Essentially, for each protected application server, you have to

configure the application-level DDoS rules so that traffic destined for one protected

server processes only one application-level DDoS rule.

NOTE: Application-level DDoS rules are terminal, whichmeans that oncetraffic is processed by one rule, it will not be processed by other rules.

The following configuration options can be committed, but theywill notwork properly:

ApplicationServerapplication-ddosservicedestination-ipdestination-zonesource-zone

1.1.1.1:80http-appddos1httpanydst-1source-zone-1

1.1.1.1:80http-appddos2httpanydst-1source-zone-2

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level DDoS

rule base (rulebase-ddos) does not support port mapping. If you configure an

application other than default, and if the application is from either predefined Junos

OS applications or a custom application that maps an application service to a

nonstandard port, application-level DDoS detection will not work.

When you configure the application setting as default, intrusion detection and

prevention (IDP) uses application identification to detect applications running on

standard and nonstandard ports; thus, the application-level DDoS detection would

work properly.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, all IDP policy

templates are supported except All Attacks. There is a 100-MB policy size limit for

integratedmode and a 150-MB policy size limit for dedicatedmode. The current IDP

policy templates supported are dynamic, based on the attack signatures being added.

Therefore, be aware that supported templates might eventually grow past the

policy-size limit.

On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following

IDP policies are supported:

• DMZ_Services

• DNS_Service

• File_Server



• Getting_Started

• IDP_Default

• Recommended

• Web_Server

• IDPdeployed inbothactive/activeandactive/passive chassis clusters has the following

limitations:

• No inspection of sessions that fail over or fail back.

• The IP action table is not synchronized across nodes.

• TheRouting Engine on the secondary nodemight not be able to reach networks that

are reachable only through a Packet Forwarding Engine.

• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses

a session ID and it happens to be processed on a node other than the one on which

the session ID is cached, the SSL session cannot be decrypted andwill be bypassed

for IDP inspection.

• IDP deployed in active/active chassis clusters has a limitation that for time-binding

scope source traffic, if attacks from a source (with more than one destination) have

activesessionsdistributedacrossnodes, then theattackmightnotbedetectedbecause

time-bindingcountinghasa local-node-only view.Detecting this sort ofattack requires

an RTO synchronization of the time-binding state that is not currently supported.

Internet Protocol Security (IPsec)

• On SRX Series devices, when you enable VPN, overlapping of the IP addresses across

virtual routers (VRs) is supported partially with following limitations:

• An IKE external interface address cannot overlap with any other VR.

• An internal/trust interface address can overlap across VRs.

• An st0 interface address cannot overlap in route-based VPN in point-to-multipoint

tunnel such as NHTB.

• An st0 interface address can overlap in route-based VPN in point-to-point tunnel.

IPv6 IPsec

IPv6 IPsec implementation has the following limitations:

• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path

maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6

minimumMTU size of 1280 bytes.

• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are

32-bits long, IPv6 IPsec packet processing requiresmore resources. Therefore, a small

performance degradation is observed.



• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel

scalability numbers might drop.

• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel

throughput performance.

• The IPv6 IPsec VPN does not support the following functions:

• 4in6 and 6in4 policy-based site-to-site VPN, IKE

• 4in6 and 6in4 route-based site-to-site VPN, IKE

• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key

• 4in6 and 6in4 route-based site-to-site VPN, Manual Key

• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE

• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key

• RemoteAccess—XAuth, configmode, andshared IKE identitywithmandatoryXAuth

• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)

• IKE peer type—Dynamic IP

• Chassis cluster for basic VPN features

• IKE authentication—PKI/RSA

• NAT—Traversal

• VPNmonitoring

• Hub-and-spoke VPNs

• Next Hop Tunnel Binding Table (NHTB)

• Dead Peer Detection (DPD)

• Simple Network Management Protocol (SNMP) for IPsec VPNMIBs

• Chassis cluster for advanced VPN features

• IPv6 link-local address

• SRX Series high-end devices (for example, SRX3000 and SRX5000 lines)

dependency

IPv6 Support

• NSM—Consult the Network and Security Manager (NSM) release notes for versioncompatibility, requiredschemaupdates, platform limitations, andother specificdetails

regarding NSM support for IPv6 addressing on SRX3400, SRX3600, SRX5600, and

SRX5800 devices.



• Security policy—IDP for IPv6 sessions is supported only for SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices. UTM for IPv6 sessions is not supported.

If your current security policy uses rules with the IP address wildcard any, and UTM

features are enabled, you will encounter configuration commit errors because UTM

features do not yet support IPv6 addresses. To resolve the errors, modify the rule

returning the error so that it uses the any-ipv4 wildcard; and create separate rules for

IPv6 traffic that do not include UTM features.

J-Web

• J-Web browser support compatibility for Dell PowerConnect SRX Series and SRXSeries Devices—To access J-Web for all platforms, your device requires the followingsupported browsers and OS:


software:

• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox

version 3.0



• If the device is running the worldwide version of the Junos OS and you are using the

Microsoft Internet Explorer Web browser, youmust disable the Use SSL 3.0 option in

theWeb browser to access the device.

• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript

and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed

by default on the Dashboard page. You can enable or disable it using options in the

Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes

the Chassis View to be displayed.

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in the J-Web interface,

there is no support for changing the T1 interface to an E1 interface or vice versa. As a

workaround, use the CLI to convert from T1 to E1 and vice versa.

• OnSRX3400, SRX3600, SRX5600, and SRX5800devices, users cannot differentiate

between Active and Inactive configurations on the System Identity, Management

Access, User Management, and Date & Time pages.

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you cannot use J-Web to

configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently

supported for use as IKE external interfaces.



Logical Systems

• Themaster logical systemmust not be bound to a security profile that is configured

with a 0 percent reserved CPU quota as traffic loss could occur. When upgrading an

SRX1400,SRX3400,SRX3600,SRX5600,orSRX5800device fromJunosOSRelease

11.2, make sure that the reserved CPU quota in the security profile that is bound to the

master logical system is configured for 1 percent or more. After upgrading from Junos

OS Release 11.2, the reserved CPU quota is added to the default security profile with

a value of 1 percent.

• Startingwith JunosOSRelease 11.2, address books can be defined under the [security]

hierarchy level insteadof the [security zones] hierarchy level. This enhancementmakes

configuring your network simpler by allowing you to share IP addresses in address

books when configuring features such as security policies and NAT. You can attach

zones to address books—this is known as zone-attached configuration.

Junos OS Release 11.4 continues to support address book configuration under the

[security zones] hierarchy level—this is knownas zone-defined configuration. However,

we recommend that zone-attached address book configuration be used in themaster

logical system and user logical systems.

If you upgraded your SRX1400, SRX3400, SRX3600, SRX5600, or SRX5800 device

to this Junos OS Release 11.4, and are configuring logical systems on the device, the

master logical system retains any previously-configured zone-defined address book


convert zone-definedconfiguration to zone-attachedconfiguration. Theupgrade script

converts all zone-defined configurations in the master logical system and user logical

systems.Seesection, “UpgradeandDowngradeScripts forAddressBookConfiguration”

of “Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX

Series Services Gateways” on page 223.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the logical

systems feature does not support ALGs for user logical systems because ALGs are

configured globally. If you enable ALGs at the root master logical system level, they

are also enabled for user logical systems in this JunosOSRelease 11.4. In this case, user

logical system traffic is processed by the ALGs, and corresponding ALG flow sessions

are initiated under the user logical system. You can only enable and disable ALGs at

the root master logical system level.

• OnSRX1400, SRX3400, SRX3600, SRX5600, andSRX5800devices, in this JunosOS

Release 11.4, the IPv6 forwarding and the logical system configuration are mutually

exclusive. If you enable the IPv6 forwarding options (packet mode or flowmode), the

logical system configuration related commit will fail and vice versa.

You can still configure certain IPv6 objects under the root logical system and the user

logical system if the system is in default mode (DROP). However, you cannot forward

IPv6 traffic in this case.

• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices,quality-of-service

(QoS) classification across interconnected logical systems does not work.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the number of

logical system security profiles you can create is constrained by an internal limit on



security profile IDs. The security profile ID range is from 1 through 32with ID 0 reserved

for the internally configured default security profile. When themaximum number of

security profiles is reached, if you want to add a new security profile, youmust first

delete oneormore existing security profiles, commit the configuration, and then create

the new security profile and commit it. You cannot add a new security profile and

remove an existing one within a single configuration commit.

If you want to addmore than one new security profile, the same rule is true. Youmust

first delete theequivalentnumberof existing securityprofiles, commit theconfiguration,

and then create the new security profiles and commit them.

• User and administrator configuration for logical systems—Configuration for usersfor all logical systems and all user logical systems administrators must be done at the

root level by the master administrator. A user logical system administrator cannot

create other user logical system administrators or user accounts for their logical

systems.

• Name-space separation—The same name cannot be used in two logical systems. Forexample, if logical-system1 includes the username “Bob” then other logical systems

on the device cannot include the username “Bob”.

• Commit rollback—Commit rollback is supported at the root level only.

• Trace and debug—Trace and debug are supported at the root level only.

• Class of service—You cannot configure class of service on logical tunnel (lt-0/0/0)interfaces.

• ALGs—Themaster administrator canconfigureALGsat the root level. Theconfigurationis inheritedby all user logical systems. It cannot be configureddiscretely for user logical

systems.


• Maximum capacities for source pools and IP addresses have been extended on

SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, as follows:

SRX5600SRX5800

SRX3400SRX3600SRX1400

Pool/PATMaximumAddress Capacity

1228881928192Source NAT pools

1228881928192IP addresses supportingport translation

256M256M256MPAT port number

Increasing the capacity of source NAT pools consumesmemory needed for port

allocation.WhensourceNATpooland IPaddress limitsare reached,port rangesshould

be reassigned. That is, the number of ports for each IP address should be decreased

when the number of IP addresses and sourceNATpools is increased. This ensuresNAT

does not consume toomuchmemory. Use the port-range statement in configuration



mode in the CLI to assign a new port range or the pool-default-port-range statement

to override the specified default.

Configuring port overloading should also be done carefully when source NAT pools

are increased.

For source pool with port address translation (PAT) in range (64,510 through 65,533),

two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,

and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports

(64,512 through65,535) forApplicationLayerGateway(ALG)moduleuse.OnSRX5600

and SRX5800 devices, if all of the 4096 source pool is configured, a port allocation

of 8,388,608 is reserved for twin port use.

• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edgeof the carrier network, the device-wide NAT rule capacity has been changed.

The number of destination and static NAT rules has been incremented as shown in

Table 16 on page 210. The limitation on the number of destination-rule-set and

static-rule-set has been increased.

Table 16onpage210provides the requirementsperdevice to increase theconfiguration

limitation as well as to scale the capacity for each device.

Table 16: Number of Rules on SRX3400, SRX3600, SRX5600, andSRX5800Devices

SRX5600SRX5800

SRX3400SRX3600NAT Rule Type

81928192Source NAT rule

81928192Destination NAT rule

2048020480Static NAT rule

The restriction on the number of rules per rule set has been increased so that there is

only a device-wide limitation on howmany rules a device can support. This restriction

is provided to help you better plan and configure the NAT rules for the device.

• IKE negotiations involving NAT-T—On SRX1400, SRX3400, SRX3600, SRX5600,and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal

donotwork if the IKEpeer isbehindaNATdevice thatwill change thesource IPaddress

of the IKE packets during the negotiation. For example, if the NAT device is configured

withDIP, it changes the source IPbecause the IKEprotocol switches theUDPport from

500 to 4500.



Security

• OnSRX3400,SRX3600,SRX5600,andSRX5800devices, the limitationonthenumber

of addresses in an address-set has been increased. The number of addresses in an

address-set now depends on the device and is equal to the number of addresses

supported by the policy.

Table 17:NumberofAddresses inanaddress-setonSRX3400,SRX3600,SRX5600, and SRX5800Devices

address-setDevice

1024Default

1024SRX3400

1024SRX3600

1024SRX5600

1024SRX5800

Simple Network Management Protocol (SNMP)

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show snmp

mibCLI commandwill not display theoutput for security relatedMIBs.We recommend

that youuseanSNMPclientandprefix logical-system-name@ to thecommunityname.

For example, if the community is public, use default@public for default root logical

system.

Unsupported CLI

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, themvrp CLI

option under set protocols CLI command is not supported but it is visible. However, if

you enter these commands in the CLI editor, they will appear to succeed and will not

display an error message.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800, the command restart

ipsec-key-management is not supported.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following

multicast IPv6 and MVPN CLI commands are not supported. However, if you enter

these commands in the CLI editor, they will appear to succeed and will not display an

error message.

• showmulticast scope inet6

• showmsdp sa group group

• show pimmvpn




• The local-IP feature is not supported on the following:

• SRX Series devices in chassis cluster configuration.

• SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, the IPsecNAT-T

tunnel scaling and sustaining issues are as follows:

• For a given private IP address, the NAT device should translate both 500 and 4500

private ports to the same public IP address.

• The total number of tunnels from a given public translated IP cannot exceed 1000

tunnels.



page 182

•


on page 217


on page 212





Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways

The followingproblemscurrently exist in JuniperNetworksSRXSeriesServicesGateways

and J Series Services Routers. The identifier following the descriptions is the tracking

number in the Juniper Networks Problem Report (PR) tracking system.

Aplication Layer Gateway(ALG)

• On SRX3400 and SRX3600 devices, when the CPU of the central point CP reaches

99 percent, there is rm group leak on the secondary node because of RTOmessage

drop. [PR/569624]

• On SRX3400 devices, in active/backup chassis cluster mode, after RG failover Avaya

phones cannot hang up. Somemessages sent by Avaya phones are dropped by the

device. If you want to make another call, you should unregister the phone and register

again. [PR/581917]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, after 2 days of NAT/ALG

traffic and with some failovers, SIP RM groups leaks are observed when all calls and

sessions are dropped. [PR/584215]



• On SRX3400 devices, when you receive an initial acknowledgment (INIT-ACK), the

device records the cookie length in association. If the cookie length is not amultiple of

four, the device pads it to a multiple of 4. For example, the length in the INIT-ACK is

183, but yousave 184 inassociation.When thecookie echocomes, thedevice compares

thecookie length in thepacketwith the recordedcookie length inassociation.However,

it is a not padded value; that is, it is still 183 in the cookie length field of the cookie echo.

Therefore, the comparison fails, and the log shows the cookie as invalid. [PR/671238]

• OnSRX3400andSRX5600devices, CPSofRTSPALG traffic in bothLayer 2andLayer

3 mode is dropped to 300 per SPU. [PR/676053]

• OnSRX5600 devices in chassis cluster, if the ALG traffic is too high and twin ports are

used up, some single ports on backup nodemight leak. [PR/705799]

Chassis Cluster

• On SRX1400 devices, a timing error is observed at the system I/O (sysio) interface,

which connects to IOC in slot 2. You can enable chassis cluster on the sysio ports, but

do not use the IOC card in slot 2 for Junos OS Release 11.4. [PR/680832]

• On SRX3400 devices, when chassis cluster failover route change is triggered and

service-offload session will be reinstalled, if one service-offload session is multicast

session in the master node, then that session will be synched and installed as normal

session in backup node because the services-offload flag not being correctly sync to

backup. [PR/696819]

• OnSRX1400devices in chassis cluster, unwanted timedout data path tracemessages

are seen. [PR/703272]

• On SRX5600 devices, the APN filter does not work when RG0 and RGX primary are in

different nodes. [PR/707047]

Flow and Processing

• On SRX3400 and SRX3600 devices, the diagnostic test (diagtest) for

recb_i2c_rep_clk_generator and recb_i2c_chassis_ideeprom fails. [PR/602621,

PR/704967]

• OnSRX3600 devices, preempt can occur to the designated primary nodewith priority

0 on RG1+ if the designated secondary node is currently working as the primary node.

[PR/612753]

• On SRX5800 devices with chassis cluster in NATmode, the unknownmessage log

ipc_msg_write:%PFE-3: IPCmessage type: 27, subtype: 2exceedsMTU,mtu3216, length

3504might appear occasionally due to internal communication. [PR/612757]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, changes in policer, filter,

or sampling configuration cause core files to be generated whenmulticast traffic is

received. [PR/613782]

• On SRX5800 devices, memory usage on SPU by the KMD process might raise

unexpectedly, causing VPN tunnel setup problems.



Once the process reaches the memory usage limit, the following message will be

logged:

• Jun 20 09:19:46 HOSTNAME (FPC Slot N, PIC Slot M) kernel: Process (176,kmd)

attempted to exceed RLIMIT_DATA: attempted 262164 KBMax 262144 KB

[PR/664301]

• OnSRX5600devices,whenGPRStunnelingprotocol (GTP) isenabledandwhenthere

are GTP-wide conflicts hashed in the same buckets, a core file is generated.

[PR/680822]

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, a successful

webauth entry will not be updated or re-written if you re-login using another correct

usernameandpassword.Although there is a successful authenticationentry, thismight

still cause the user traffic not pass through the firewall if the new username is added

as a client match user in the policy. [PR/683603]

• OnSRX3600devices, due toa remote racecondition, themasterRoutingEnginemight

not send the deletion of the destination route pointing to the decoupled next hop to

the replicated Routing Engine, which can result in rnh_index_alloc() error on the

replicated Routing Engine. [PR/684981]

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show

class-of-service application-traffic-control statistics rule command currently displays

the number of packets that arrive in a session. The command should actually display

the number of sessions. [PR/690691]

• On SRX5800 devices, due to some issue in the fxp driver, after deleting the fxp

configuration and rolling it back, the fxp0 is forcefully set to 100m/full duplex mode.

[PR/696733]

• On SRX1400 devices, traffic sent to yourself through a GRE tunnel is blocked

unexpectedly by policy. It is likely that the security flow process chooses the wrong

ingress interface insteadof thephysical interfacebeneath theGRE tunnel,which should

be gr-0/0/0.xl The workaround is to configure a to-self policy from the zone that

contains physical interface of the GRE tunnel. [PR/698647]

• On SRX5600 devices, when IKE and IPsec configuration or security configuration is

removed and added back frequently, KMD core files might be generated. [PR/698718,

PR/698666]

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, a memory leak

occurs during the audit event processing. As a workaround, enable the security log

cache using the edit security log cache configuration statement. [PR/698907]

• On SRX5600 devices, the message vector create_pdp_rsp changes tunnel state from

half to active and inserts it into active timer wheel. These actions result in no tunnel

lock protection. When del_pdp_rsp deletes the user tunnel or clear path, this leads to

a change in both the aging flag and the timer wheel entry pointer. [PR/699147]

• On SRX5600 devices, after youmodify the GTP profile's configuration within the

firewall, the modifications will only take effect with new create sessions; old sessions

will not be impacted with new GTP profile settings. If you want to activate new GTP



profile settings for all sessions, then you should clear all sessions in the firewall.

[PR/703327]

• On SRX1400 devices, RTSP interleave data packets cannot be passed when the RTP

length is above 3K Bytes. [PR/703663]

• On SRX5600 devices, packets of packet-length 500 bytes get corrupted when only

packet capture of data path debug is present without record-pic-history and event

np-egress. [PR/706858]


• OnSRX3400devices, during failover, there is a small windowof time inwhich the SPU

does not detect whether an NP is in services-offloadmode or not. This might cause a

small number of the services-offload sessions to change to normal sessions.

[PR/697426]

• On SRX5600 devices, during GTP-in-GTP detection, the spare bytes in the GTPv0's

packet header are 10, 11, and 12. These three bytes need to be set with 0xff, but it is not

a mandatory requirement in 3GPP TS. You can set the GTP-in-GTP denied feature,

and check these bytes as amandatory field. If the value of all three bytes is not equal

to 0xff, then the packet is not GTPv0 and is allowed to pass the firewall. As a result,

somemalform attack packets might get through the firewall. [PR/703267]

• On SRX1400 devices, RTSP interleave data packets cannot be passed when the RTP

length is above 3K Bytes. [PR/703663]

• On SRX3600 devices, after configuring the logical interfaces with IPv6 addresses, the

corresponding routes are not resolved and are stuck at reject state. Because of this

the connection between the logical interfaces is unreachable. [PR/705847]


• On SRX5600 devices, loading the IDP detector might cause a flowd crash, showing

memcpy as the top of the stack. [PR/570361]

J-Web

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, on the following pages in

the J-Web interface, if you try to generate a report by using theGenerateReportoption,the report opens in the same webpage:

• Monitor > Events and Alarms> View Events

[PR/433883]

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, using CLI you

can configure only an AppQoS rule set without configuring any other diff-services.

However, in J-Web, you should configure at least one diff-service for a new AppQoS

rule set configuration. [PR/686462]



• On SRX1400 devices, whenmodifying an existed policy or creating a new policy with

junos-host zone in J-Web, there is no junos-host zone available in the from-zone or

to-zone list. [PR/697863]

• OnSRX3400devices, in J-Web, you cannot edit the lt interface for LSYS. [PR/700354]

Logical Systems

• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800devices,multiple logical

systems which have All attack policy fails to compile in the Routing Engine due to

memory limit.

The IDP policies for each user logical system are compiled together and stored on the

data planememory. To estimate adequate data planememory for a configuration,

consider these two factors:






database increases.

[PR/667983]

• On SRX3400 devices, when you configure LSYS and then load override configuration

with different LSYS (both having the old and new LSYS) configuration, the proxy-ndp

route might fail to push to the Packet Forwarding Engine. If you delete old LSYS and

addnewLSYS in one commit, the proxy-ndp routemight also fail to push to thePacket

Forwarding Engine. [PR/673930]

• On SRX5600 devices in a chassis cluster, some NAT sessions might keep invalidated

status after multiple failovers. [PR/676385]

• On SRX1400 devices, the logical systems (lsys) capacity number for

nat-rule-referenced-prefix lsys profile is displayed incorrectly. [PR/707108]

Management Information Base (MIB)

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when polling the device

with 5 SPC's and 3 SPC's, the device reports wrong number of sessions for the object

ID jnxJsSPUMonitoringMaxTotalSession (1.3.6.1.4.1.2636.3.39.1.12.1.3.0). [PR/488653]


• On SRX3600 devices, when there is heavy SIP traffic and share gate is involved, NAT

translation-context might leak. [PR/675869]

• On SRX3400 devices, NAT does not support ISSU prior to Junos OS Release 11.1.

Therefore when you attempt to upgrade the device from Junos OS Release 10.4 or 11.1

to Junos OS Release 11.4, the NAT configuration on the Packet Forwarding Engine side

will be incorrect and NAT allocation will fail, preventing creation of the RTSP control

session on backup. [PR/686447]



• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, static NATwith

default routing instance does not work. As a workaround with static NAT configured,

use a named routing instance instead of the default one. [PR/706183]

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you

configure two static NAT rules in default routing-instance with same prefix, one rule

is configured without static-nat prefix routing-instance default, and the other rule

which will have the commit will have no overlapped prompt info and will complete.

Do not use same static NAT prefix addresses in two rules in default routing-instance

with one rule as static-nat prefix routing-instance default configuration and the other

rule as none. [PR/708433]


• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, application

identification does not support downgrade of the image. When you attempt to

downgrade the device from Junos OS Release 12.1 to 11.4, youmust download and

install the signature database again.

If you upgrade the device from Junos OS Release 11.4 to 12.1, application identification

signaturewill takeabout30seconds to recompile.During these30seconds, application

identification does not identify the traffic, and traffic is dropped by application firewall

as an unknown session. [PR/689304]


• On SRX3600 devices, after RG0 failover, packet loss is seen through VPNs.

[PR/604640]

• On SRX5600 devices in a large configuration with heavy traffic, after reboot failover

in chassis cluster, the Routing Engine on the new primary node becomes very busy. As

a result, the FPCmight detach, causing traffic to fail when passing through the firewall

device. [PR/698150]

• On SRX5600 devices, the Key Management daemon (KMD)may restart when you

change theconfiguration fromdynamicendpoint (DEP) to shared IKE.Theworkaround

for this issue is to deactivate security policies before switching the configuration from

DEP to shared IKE. [PR/702222]



page 182

•


on page 198



Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways

The following are the issues that have been resolved in Junos OS Release 11.4 for Juniper

Networks SRX Series Services Gateways and J Series Services Routers. The identifier



following thedescriptions is the trackingnumber in the JuniperNetworksProblemReport

(PR) tracking system.

Application Layer Gateways (ALGs)

• On SRX5600 devices in a chassis cluster, when 12-KB traffic was sent, RG1 and RG2

failover occurred with a resource manage error. [PR/601784: This issue has been

resolved.]

Chassis Cluster

• On SRX5600 devices, ISSU took additional time when network traffic was heavy. If

the ISSU process duration was longer than 1 hour, it aborted automatically without

completing the upgrade. [PR/585873: This issue has been resolved.]

• On SRX3600 devices in a chassis cluster, some interfaces on node 0 showed

unspecified speed and half-duplex. [PR/597575: This issue has been resolved.]

• On SRX5800 devices, chassis cluster was not failing over redundancy groups

automatically when one node experienced certain hardware errors (HSL2 link CRC

errors). [PR/606594: This issue has been resolved.]

Flow and Processing

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, predefined

applications and application groups are editable. However, changes made to them

werenotpersistentacrossapplication identificationsignatureor IDPsignaturedatabase

upgrades, and commit failed. [PR/560897: This issue has been resolved.]

• On SRX5800 devices in NATmode, flowd crashed due to kernel memory corruption

that was triggered by a race condition when the IDPmodule wasmaintaining the ASC

(application system cache) pool. [PR/579242: This issue has been resolved.]

• On SRX3400, SRX3600, and SRX5600 devices, hostbound traffic BFD session state

did not change from the init state. [PR/601310: This issue has been resolved.]

• OnSRX1400,SRX3400,andSRX3600devices,when the receiver for amulticast group

was in densemode, nomulticast traffic was observed. [PR/601850: This issue has

been resolved.]

• On SRX5800 devices, data plane security logs sent in security log mode streamwere

emittedwith the facility encoded toUUCP.ThePRI valuehasbeenchanged tocorrectly

showtheUSER facility in the system logs sentdirectly fromthedataplane.This change

does not effect logs sent from the Routing Engine. [PR/663022: This issue has been

resolved.]

• On SRX3400 devices, the SIP datagramswere being reordered, resulting in a rejection

of the INVITEmessage from the X-Lite client to the other user. [PR/667420: This issue

has been resolved.]



• On SRX3400 devices, small packets were dropped when preserve-trace-order or

record-packet-historywas enabled during data path debugging. [PR/671900: This


• On SRX3400 devices, in transparent mode EBGP session timeout was not updated,

causing sessions to close after 20 seconds. [PR/671942: This issue has been resolved.]

Installation and Upgrade

• On SRX1400 devices, when you upgraded or downgraded to an earlier or later Junos

OS version and upgraded or downgraded the data path FPGA images, the traffic did

not flowthrough thedevice immediatelyafter theupgradeordowngradewascomplete.

The fabric (HSL2) links of the SPC and NPC cards were prematurely reported as being

in fault, reset, or error state followinganautomatic upgradeordowngradeof theFPGAs.



• On SRX5800 devices, removing the ip-block action statement from the IDP

configurationblocked theapplicable traffic. [PR/599245:This issuehasbeen resolved.]

Infrastructure

• On SRX5800 devices, whenmore than 10member links were added to an aggregate

bundle and then to a class-of-service process, sometimes core files were generated

and devices restarted due to memory corruption and the process. [PR/613422: This



• On SRX5600 devices, there were issues with support for GTPv2 and GTP ISSU failure

between Junos OS Release 11.2 and later releases. [PR/664202: This issue has been

resolved.]

IPv6

• On SRX3600 devices, the IPv6 self-traffic caused flowd_xlr files to be generated.


• OnSRX3400devices, in somecases IPv6 flowsessionswereoverwritingothermemory,

causing incorrect statistics or memory corruption. Thememory corruption triggered

generation of a flowd core file. [PR/672794: This issue has been resolved.]

J-Web

• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, youwereunable

to make custom column alignment on theUTMpolicy and Zone configuration pages.[PR/667207: This issue has been resolved.]

• OnSRX3400devices, sometimesJ-Webdidnotpopulatecontentproperly. [PR/671805:




Logical Systems

• On SRX3400 devices, when NAT64 was used in logical system (LSYS), the binding

did not age out and the reversed binding did not match successfully. The NAT64 in

LSYS function did not work. [PR/675052: This issue has been resolved.]


• OnSRX3400devices,whenDUTwasconfiguredwith themaximumreferencenumber

of address-books in source NAT or destination NAT, the Routing Engine and Packet

Forwarding Engine were different. [PR/580201: This issue has been resolved.]

• SRX1400 devices supported only 256 destination NAT pools; this number did not

match the specification sheet of 4096. [PR/598474: This issue has been resolved.]

• On SRX3600 devices, under certain specific circumstances, interface-based source

NAT resources leaked. [PR/613300: This issue has been resolved.]

SNMPMIBs

• OnSRX5800devices, theNATSNMPMIB snmpmib jnxJsNatSrcNumSessions counter

was not refreshed until thewalk command was issued. [PR/663788: This issue has

been resolved.]


• OnSRX3600devices, KMDcore fileswere generated after users deleted and re-added

VPN configurations. [PR/560932: This issue has been resolved.]

• On SRX3600 devices, the secondary node of the dynamic endpoint tunnel IP did not

update correctly during cold synchronization. [PR/604640: This issue has been

resolved.]



page 182

•


on page 198



Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX SeriesServices Gateways

Errata for the Junos OS Software Documentation

This section lists outstanding issues with the software documentation.

Junos OS CLI Reference

• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in

proposal-set (IPsec) section. The IPsec proposals should be as follows:



• basic—nopfs-esp-des-sha and nopfs-esp-des-md5

• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and

nopfs-esp-des-md5

• standard—g2-esp-3des-sha and g2-esp-aes128-sha

J-Web

• J-Web security package update Help page—The J-Web Security Package UpdateHelp page does not contain information about the download status.

• J-Web pages for stateless firewall filters—There is no documentation describing theJ-Web pages for stateless firewall filters. To find these pages in J-Web, go to

Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6Firewall Filters. After configuring the filters, select Assign to Interfaces to assign yourconfigured filters to interfaces.

• J-WebConfiguration Instructions—Becauseofongoing J-Web interfaceenhancements,

some of the J-Web configuration example instructions in the Junos administration and

configuration guides became obsolete and thus were removed. For examples that are

missing J-Web instructions, use the provided CLI instructions.

Junos OS Security Configuration Guide

• The Junos OS Security Configuration Guide incorrectly states that the release supports

security chains, which validate a certificate path upward through eight levels of CA

authorities in the PKI hierarchy. The release does not support security chains.

Errata for the Junos OSHardware Documentation

This section lists outstanding issues with the hardware documentation.


• The fan tray LED table in the “Replacing the Fan Tray on the SRX1400 Services

Gateway” section of the SRX1400 Services Gateway Hardware Guide erroneously

documents that:

Amber (On Steadily): Fan tray LED cannot detect fan failure.

The correct information for this section is as follows: Amber LED (on steadily): Fan

tray LED does not indicate fan failure.

• Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the

grounding lugattached to the frontpanel of thedevice.However, theSRX1400Services

Gateway is not shipped with the grounding lug attached to it.

• In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously

document “RE ETHERNET” port as “ETHERNET” port.

• Connecting the SRX1400 Services Gateway to a Network for Out-of-Band

Management


Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX Series Services Gateways

• SRX1400 Services Gateway Software Configuration Overview

• TheSRX1400ServicesHardwareGuideand theSRX1400ServicesGettingStartedGuide

are missing the following note:

NOTE: AC and DC Power Supply Units are not interoperable between theSRX1400 Services Gateway and the SRX3000 and SRX5000 lines.

SRX1400 Services Gateway Getting Started Guide

• In theSRX1400ServicesGatewayGettingStartedGuide, someof thegraphicsare shown

with thegrounding lugattachedon the frontpanel of thedevice.However, theSRX1400

Services Gateway is not shipped with the grounding lug attached to it.

• Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show

graphics with the grounding lug attached to the device front panel. The grounding lug

is not attached to the device at the time of shipment.

• The SRX1400 Services Gateway Getting Started Guide should document the following

statement:

You can replace theNetwork andServicesProcessingCard (NSPC)with theSRX3000

line Services Gateway Network Processing Card (NPC) and Services Processing Card

(SPC). To install the NPC and SPC on the SRX1400 Services Gateway, youmust order

the TwinCFMholder tray (SRX1K3K-2CFM-TRAY) to hold two single-wideCFMs (NPC

and SPC) separately. Contact your Juniper Networks customer service representative

for more information.

• In the SRX1400 Services Gateway Getting Started Guide, the following sections

erroneously document the “RE ETHERNET” port as the “ETHERNET” port.

• Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services

Gateway

• Step7: Perform the Initial SoftwareConfigurationon theSRX1400ServicesGateway



page 182

•


on page 198


on page 212


on page 217



UpgradeandDowngrade Instructions for JunosOSRelease11.4 forHigh-EndSRXSeriesServicesGateways

In order to upgrade to Junos OS Release 11.4 or later, your device must be running one of

the following Junos OS Releases:

• 9.1S1

• 9.2R4

• 9.3R3

• 9.4R3

• 9.5R1 or later

If your device is running an earlier release, upgrade to one of these releases and then to

the 11.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release

9.2R4 and then to Release 11.4.

For additional upgrade and download information, see the Junos OS Initial Configuration

Guide for Security Devices and the Junos OSMigration Guide.

• Upgrade and Downgrade Scripts for Address Book Configuration on page 223

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 226

• Hardware Requirements for Junos OS Release 11.4 for High-End SRX Series Services


Upgrade and Downgrade Scripts for Address Book Configuration

Beginningwith JunosOSRelease 11.4, youcanconfigureaddressbooksunder the [security]

hierarchy and attach security zones to them (zone-attached configuration). In Junos OS

Release 11.1 and earlier, address books were defined under the [security zones] hierarchy

(zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached

configuration formatorunder the [securityzones]hierarchy inazone-definedconfiguration

format; the CLI displays an error and fails to commit the configuration if you configure

both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the

address book configuration formats (see Figure 2 on page 225).

• About Upgrade and Downgrade Scripts on page 223

• Running Upgrade and Downgrade Scripts on page 225

About Upgrade and Downgrade Scripts

After downloading the Junos OS Release 11.4, you have the following options for

configuring the address book feature:

• Use the default address book configuration—You can configure address books using

the zone-defined configuration format, which is available by default. For information


Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX Series Services Gateways

on how to configure zone-defined address books, see the Junos OS Release 11.1

documentation.

• Usetheupgradescript—Youcan run theupgradescriptavailableon the JuniperNetworks

support site to configure address books using the new zone-attached configuration

format. When upgrading, the system uses the zone names to create address books.

For example, addresses in the trust zone are created in an address book named

trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules

remain unaffected.

After upgrading to the zone-attached address book configuration:

• You cannot configure address books using the zone-defined address book

configuration format; the CLI displays an error and fails to commit.

• You cannot configure address books using the J-Web interface.

For information on how to configure zone-attached address books, see the Junos OS

Release 11.4 documentation.

• Use the downgrade script—After upgrading to the zone-attached configuration, if you

want to revert to the zone-defined configuration, use the downgrade script available

on the JuniperNetworks support site. For informationonhowtoconfigure zone-defined

address books, see the Junos OS Release 11.1 documentation.

NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.



Figure 2: Upgrade and Downgrade Scripts for Address Books

zone-attachedaddress bookconfiguration

Download Junos OSRelease 11.2 or later.

Run the upgrade script.

- Global address book isavailable by default.

- Address book is defined underthe security hierarchy.

- Zones need to be attachedto address books.

Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.

Run the downgrade script.

zone-definedaddress book

g030

699

Running Upgrade and Downgrade Scripts

The following restrictions apply to the address book upgrade and downgrade scripts:

• The scripts cannot run unless the configuration on your system has been committed.

Thus, if the zone-definedaddressbookandzone-attachedaddressbookconfigurations

are present on your system at the same time, the scripts will not run.

• The scripts cannot run when the global address book exists on your system.

• If you upgrade your device to Junos OS Release 11.4 and configure logical systems, the

master logical system retains any previously configured zone-defined address book


convert the existing zone-defined configuration to the zone-attached configuration.

Theupgradescript convertsall zone-definedconfigurations in themaster logical system

and user logical systems.

NOTE: You cannot run the downgrade script on logical systems.

For informationabout implementingandexecuting Junosoperation scripts, see the Junos

OS Configuration and Operations Automation Guide.


Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX Series Services Gateways

Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended

End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of

twoadjacent later EEOL releases. Youcanalsodowngradedirectly fromoneEEOL release

to one of two adjacent earlier EEOL releases.

For example, JunosOSReleases9.3, 10.0, and 10.4areall EEOL releases. Youcanupgrade

from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to

10.4, you first need toupgrade to JunosOSRelease9.3or 10.0, and thenupgradeasecond

time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0

or 9.3, and then perform a second downgrade to Release 8.5.

For upgrades and downgrades to or from a non-EEOL release, the current policy is that

you can upgrade and downgrade by nomore than three releases at a time. This policy

remains unchanged.



Hardware Requirements for Junos OS Release 11.4 for High-End SRX SeriesServices Gateways

Transceiver Compatibility for SRX Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used

onhigh-endSRXSeriesServicesGateways interfacemodules.Different transceiver types

(long-range, short-range, copper, and others) can be used together onmultiport SFP

interfacemodulesas longas theyareprovidedby JuniperNetworks.Wecannot guarantee

that the interface module will operate correctly if third-party transceivers are used.

Please contact Juniper Networks for the correct transceiver part number for your device.



page 182

•








Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see

http://www.juniper.net/techpubs/software/junos/ .

If the information in the latest release notes differs from the information in the

documentation, follow the Junos OS Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/ .

JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks

engineers and subject matter experts with book publishers around the world. These

books go beyond the technical documentation to explore the nuances of network

architecture, deployment, and administration using the Junos operating system (Junos

OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,

published in conjunction with O'Reilly Media, explores improving network security,

reliability, and availability using Junos OS configuration techniques. All the books are for

sale at technical bookstores and book outlets around the world. The current list can be

viewed at http://www.juniper.net/books .

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.


Junos OS Documentation and Release Notes

http://www.juniper.net/techpubs/software/junos/

http://www.juniper.net/techpubs/

http://www.juniper.net/books

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html.

If you are reporting a hardware or software problem, issue the following command from

the CLI before contacting support:

user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip

utility, rename the file to include your company name, and copy it to

ftp.juniper.net:pub/incoming. Then send the filename, along with software version

information (the output of the show version command) and the configuration, to

[email protected]. For documentation issues, fill out the bug report form located at

https://www.juniper.net/cgi-bin/docbugreport/.



http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

http://www.juniper.net/support/requesting-support.html

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

Revision History

8 December 2011—Revision 5, Junos OS 11.4.R1 Phase 1



21 November 2011—Revision 2, Junos OS 11.4.R1 Phase 1

17 November 2011—Revision 1, Junos OS 11.4.R1 Phase 1

Copyright © 2011, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.


Requesting Technical Support